Hi,
Only buckets from one aggregation are needed ( "SumMaxT" - "sum_bucket"). Aggregation terms_H and it’s child MaxT should not be returned. I have tried bucket_selector but the result is not good - terms aggregations are still there and sum_bucket returning 0
The search:
GET _search
{
"size": 0,
"query": {
"filtered": {
"query": {
"query_string": {
"analyze_wildcard": true,
"query": "5"
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"timeStamp": {
"gte": 1447948755793,
"lte": 1447950175440,
"format": "epoch_millis"
}
}
}
]
}
}
}
},
"aggs": {
"2": {
"date_histogram": {
"interval": "1s",
"field": "timeStamp",
"min_doc_count": 1,
"extended_bounds": {
"min": "1447948755793",
"max": "1447950175440"
}
},
"aggs": {
"terms_H": {
"terms": {
"field": "Hostname",
"size": 2,
"order": {
"_term": "desc"
}
},
"aggs": {
"MaxT": {
"max": {
"field": "allThreads"
}
}
}
},
"SumMaxT": {
"sum_bucket": {
"buckets_path": "terms_H>MaxT"
}
}
}
}
}
}
The result:
"aggregations": {
"2": {
"buckets": [
{
"key_as_string": "1447949006000",
"key": 1447949006000,
"doc_count": 11,
"terms_H": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 7,
"buckets": [
{
"key": "Server5",
"doc_count": 1,
"MaxT": {
"value": 5
}
},
{
"key": "Server4",
"doc_count": 3,
"MaxT": {
"value": 5
}
}
]
},
"SumMaxT": {
"value": 10
}
},
...
]
}
}
Please advise how to keep the correct SumMaxT values and remove entirely terms_H!
Thanks in advance
Krum