Filter with aggregate value in Query DSL

Elastic Stack Kibana
1

Hi everybody,
I'm kind of new on elastic and I'm trying to apply this filter on my index : cpu > 0.6 x max_daily_cpu. I succeed to create a query to get the max daily CPU :

POST /_search
{
      "size": 0,
      "aggs": {
        "cpu_per_day": {
         "date_histogram": {
          "field": "@timestamp",
          "calendar_interval": "day"
          },
          "aggs": {
            "max_daily_cpu": {
             "max": {
                "field": "cpu_load"
            }
          }
        }
     }
   }
 }

But I don't know how to use this result in a query DSL.
Thanks for your help!

2

Can you be more specific about how you intend to use the results where this filter is being applied? Depending on your use case, the answer could range from "this isn't supported" to "there is a simple way to do this".

3

I think you are looking to add a bucket selector aggregation.

Something similar to the below.

{
  "bucket_selector": {
    "buckets_path": {
      "my_var1": "cpu_per_day",                     
      "my_var2": "max_daily_cpu"
    },
    "script": "params.my_var1 > (params.my_var2 * .6)"
  }
}
4

Firstly, it will be use in Discover to access to every document in my index that matches the filter and then this filter will be apply in some visualizations (for example, the average CPU for each device, the average size of network packet by device...).

5

Kibana filters can only operate on values that exist in individual documents, so you can't filter based on aggregates. If you had a field on individual documents that represented the average CPU usage, then you could do this. Some users find that the transforms feature of Elasticsearch is able to do this, but you'd have to evaluate it for your use.

6

Ok thanks for you answers, I will look into it!

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.