I have a reports index and I need to count the number of reports per-user that have a specific string (keyword) field value in their last document (sorted by time) in some time range. I tried bucketing by user -> top (1) hits -> get max value -> filter by max value -> count buckets. It's supposed…

Get last document string value in each bucket

Mark_Harwood (Mark Harwood) January 2, 2021, 4:43pm 2

Sounds like a “last known state” type of problem.
This is normally best solved by building an entity-centric index from your log index. This can be done using the transform api and requires some scripting to record the last known state for each entity.

1 Like

ElasticSearch - Latest record per day per ID from elastic

How to group docs by latest doc and run aggregation on the group in elastic search?

Topic		Replies	Views
Get single value out of specific aggregation bucket document? Elasticsearch	2	653	December 28, 2017
Check the top_hits aggregation results to see if every top hit has a field with a specific value Elasticsearch	6	1124	October 8, 2019
Filter buckets after top_hits aggregation Elasticsearch	12	1554	June 22, 2020
Filter aggregation buckets by top hits scripted field Elasticsearch	1	573	July 5, 2021
Filter after aggregation Elasticsearch	3	792	September 17, 2019

Get last document string value in each bucket

Related topics