Get all buckets with just one item

JPelastic · September 3, 2018, 2:59pm

GET certificates/_search
{
  "size": 0, 
  "aggs": {
    "per month": {
      "date_histogram": {
        "field": "@timestamp",
        "interval": "month"
      }, 
      "aggs": {
        "distinct": {
          "terms": {
            "field": "companyname.keyword",
            "size": 10
          },
          "aggs": {
            "one": {
              "max": {
                "distinct.doc_count": "1"
}}}}}}}}

This does not work, since I cannot access the doc_count of the previous aggregation. Could anyone point me to an alternative way of selecting all buckets that have exactly one item in them.

Mark_Harwood · September 3, 2018, 10:54pm

Sort by the terms agg by the rarest company names.
If you have many unique companies this can be wildly inaccurate though so see this technique of using multiple requests to bring back accuracy: https://github.com/elastic/elasticsearch/issues/17614#issuecomment-373689578

system · October 1, 2018, 10:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.