Getting last document per specific field

Malo_Maisonneuve · March 24, 2022, 11:23am

Hi,

I'm collecting logs from multiple devices, and I'm trying to retrieve the last log from each device.
For instance, I'd like to have :

"deviceId": 4568 => {content of last log according to timestamp for this device}
"deviceId": 7865 => {content of last log according to timestamp for this device}

I've tried to make it work with collapse and inner hits, but it doesn't seem to return what I'm looking for.

Current attempt:

GET data-*/_search
{
  "size": 10, 
  "query": {
    "exists": {
      "field": "deviceId"
    }
  },
  "collapse": {
    "field": "deviceId.keyword",
    "inner_hits": {
      "name": "most_recent",
      "size": 1,
      "sort": [ 
        {"@timestamp": {"order": "desc", "missing" : "_last"} }
        ]
    }
  }
}

spinscale · March 24, 2022, 1:11pm

Can you compile a small reproducible example to try out locally with 4-5 documents? Also the Elasticsearch version you are using would be helpful.

Thanks!

Malo_Maisonneuve · March 24, 2022, 2:52pm

Thanks for the quick response!
I'm using the 7.16.3 version of Elasticsearch.

Here are 5 documents:

PUT /test
{
  "mappings":{
    "properties": {
      "deviceId" : { "type" : "text" },
      "@timestamp": {"type" : "date"},
      "channel": {"type": "text"}
    }
  }
}

POST test/_doc/1
{
  "deviceId" : "456",
  "@timestamp" : "2022-03-24T11:00:00.000Z",
  "channel" : "A"
}

POST test/_doc/2
{
  "deviceId" : "456",
  "@timestamp" : "2022-03-24T12:00:00.000Z",
  "channel" : "B"
}

POST test/_doc/3
{
  "deviceId" : "123",
  "@timestamp" : "2022-03-24T11:00:00.000Z",
  "channel" : "C"
}

POST test/_doc/4
{
  "deviceId" : "123",
  "@timestamp" : "2022-03-24T12:00:00.000Z",
  "channel" : "D"
}

POST test/_doc/5
{
  "deviceId" : "123",
  "@timestamp" : "2022-03-24T13:00:00.000Z",
  "channel" : "E"
}

I want my query to return both documents below:

{
  "deviceId" : "456",
  "@timestamp" : "2022-03-24T12:00:00.000Z",
  "channel" : "B"
}
{
  "deviceId" : "123",
  "@timestamp" : "2022-03-24T13:00:00.000Z",
  "channel" : "E"
}

spinscale · March 28, 2022, 8:15am

I changed your sample to not map the deviceId as sorting is not possible on text fields. Then the following looks like it worked:

GET test/_search
{
  "collapse": {
    "field": "deviceId.keyword"
  },
  "sort": [
    {
      "@timestamp": {
        "order": "desc"
      }
    }
  ]
}

system · April 25, 2022, 8:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Get Last Document Stored based on the Unique Field Type Elasticsearch	1	1161	March 30, 2018
Is it possible to return only the most recent of 'each document'? Elasticsearch	3	39069	April 10, 2019
How to compare document fields in a elasticsearch query Elasticsearch	2	563	September 26, 2023
Getting the last value from an ElasticSearch index Logstash	7	338	May 24, 2024
Store last X documents per id Elasticsearch	11	209	May 3, 2024

Getting last document per specific field

Related Topics