Flatten nested aggregation

Elastic Stack Elasticsearch
1

Hi, I am trying to flatten out the aggregation below:

GET _search
{
  "size": 0,
  "aggs": {
    "ACTION": {
      "terms": {
        "field": "action.keyword"
      },
      "aggs": {
        "MONTH": {
          "date_histogram": {
            "field": "@timestamp",
            "interval": "month"
          }
        }
      }
    }
  }

The current result is:

  "aggregations": {
    "ACTION": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 985,
      "buckets": [
        {
          "key": "index",
          "doc_count": 8289,
          "MONTH": {
            "buckets": [
              {
                "key_as_string": "2018-02-01T00:00:00.000Z",
                "key": 1517443200000,
                "doc_count": 4723
              },
              {
                "key_as_string": "2018-03-01T00:00:00.000Z",
                "key": 1519862400000,
                "doc_count": 3566
              }
            ]
          }
        } 
        ...

I would like to flatten it and get something like:

[{
   "key_ACTION": "index",
   "key_MONTH": "2018-02-01",
   "doc_count": 4723
   }, {
   "key_ACTION": "index",
   "key_MONTH": "2018-03-01",
   "doc_count": 3566
  }, { ... }
]

I figured there must be a built-in alternative to that already implemented... I am also open to alternative ways of handling it.

My final goal is to plot it in Kibana with the Vega plugin.

2

@denismaciel you can use ES composite aggregation to generate a flat result, or if you are using Kibana 6.0 or 6.1 (not supported for 6.2 yet), you can install Vega plugin and use Vega flatten transformation

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.