Get the top 10 host in composite query with agregation

Incauto · July 14, 2020, 6:11am

Hi, Im trying to emulate the anomaly explorer in a custom vega-lite visualization, for that I need to get the top ten host based on the sum of their anomaly record_score, I have tried with this query but the record_scores I get are always 0.0

GET .ml-anomalies*/_search
{
  "size": 0,
  "aggs": {
    "my_buckets": {
      "composite": {
        "size": 10,
        "sources": [
          {
            "r_score": {
              "terms": {
                "field": "record_score"
              }
            }
          },
          {
            "host": {
              "terms": {
                "field": "partition_field_value"
              }
            }
          },
          {
            "date": {
              "date_histogram": {
                "field": "timestamp",
                "interval": "24h"
              }
            }
          }
        ]
      },
      "aggregations": {
        "the_sum": {
          "sum": {
            "field": "record_score"
          }
        }
      }
    }
  }
}

I need to use composite query because is easy to get the data for vega-lite.

Any recomendation on how can I achieve this?

Mark_Harwood · July 14, 2020, 9:44am

Composite always produces the top N based on the sort order of the chosen key, not that of a child aggregation like a sum.
You can use the terms aggregation to sort by an order based on child aggregations. This wizard walks through the options.

system · August 11, 2020, 9:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.