Group By (Aggregation) to get only latest fields value

arvindK_sharma · January 9, 2020, 6:33am

I write a query to read the metricbeat file. This gives me the whatever I want but it repeats the value multiple time.

I want to group by this on latest timestamp so I can get only latest record.

Below is my query

string indexName = "metricbeat-7.4.2-" + DateTime.Now.Year.ToString() + "." + DateTime.Now.Month.ToString("00") + "." + DateTime.Now.Day.ToString("00");
connectionSettings = new ConnectionSettings(connectionPool).DefaultIndex(indexName);
elasticClient = new ElasticClient(connectionSettings);

        string[] systemFields = new string[]
        {
            "system.memory.actual.used.pct",
            "system.cpu.total.norm.pct"                
        };

        var elasticResponse = elasticClient.Search<object>(s => s
            .DocValueFields(dvf => dvf.Fields(systemFields))
            );

DSL query

get /metricbeat*/_search?pretty=true
{
"query" : {
"match_all": {}
},
"docvalue_fields" : [
"system.memory.actual.used.pct",
"system.cpu.total.norm.pct",
"system.load.5",
"docker.diskio.summary.bytes"
]
}

arvindK_sharma · January 9, 2020, 3:00pm

Please help

spinscale · January 9, 2020, 3:27pm

please note that this is a volunteer driven forum, and thus does not come with any guarantee of questions answered, so you may want to wait a little bit longer than a few hours before bumping your message. if you need support, it is there

For each metric you could execute a search with a size of 1 document to be returned and sort your search.

Or you could do a single search with for max aggregations for each field.

hope this helps!

arvindK_sharma · January 9, 2020, 4:48pm

Thanks Alexander for your suggestion and solution. I know this foram is volunteer but I was very very impatient this time. Sorry for that.

Any sample for second approch will be more helpful if I am not much bothering you.

arvindK_sharma · January 10, 2020, 4:01am

I tried this but it gives me 6 hour old record. like if I hit @11Am then it shows me record of 5AM

GET /metricbeat-7.4.2-2020.01.10/_search?pretty=true
{
"size": 0,
"aggs": {
"memory_aggs": {
"terms": {
"field": "system.memory.actual.used.pct",
"size": 1
},
"aggs": {
"max_timestamp": {
"max": {
"field": "@timestamp"
}
}
}
}
}
}

system · February 7, 2020, 4:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.