I have index called "events", where each doc is different event. Events are generated by devices, which have internal ID's.
I want to group events by "deviceId", and then aggregate them by number of events they generated. Buckets may be "0-10", if particular device generated from 0 to 10 events (docs), and "10-100", "100-1000", "1000+" respectively.
It seems, I need "Pipeline Aggregations", but since I'm completely new to elastic, it's look little bit too tricky, and I can't find right query for this. Already tried a lot of different combinations with different level of nesting.
In the result, I wan't to count how many devices are presented in each group of this range buckets. DeviceId's also need to be available inside buckets, if I will want to get device list, or particular device details (both will be new queries and unrelated with this one).
Here is example code which for sure is not working:
GET events/_search { "size": 0, "aggs": {
"perMonth": {
"date_histogram": {
"field": "timestamp",
"interval": "1M",
"min_doc_count": 0
},
"aggs": {
"byDevice": {
"terms": {
"field": "deviceId"
}
},
"0-10": {
"bucket_script": {
"buckets_path": {
"count": "byDevice>_count"
},
"script": "params.count <= 10"
}
},
"10-100": {
"bucket_script": {
"buckets_path": {
"count": "byDevice>_count"
},
"script": "params.count > 10 && params.count >= 100"
}
},
"100-1000": {
"bucket_script": {
"buckets_path": {
"count": "byDevice>_count"
},
"script": "params.count > 100 && params.count >= 1000"
}
},
"1000+": {
"bucket_script": {
"buckets_path": {
"count": "byDevice>_count"
},
"script": "params.count > 1000"
}
}
}
}
}
}
As a result I wan't to get:
{ "0-10": { doc_count: n, docs: [...]}, "10-100": { doc_count: n, docs: [...]}, "100-1000": { doc_count: n, docs: [...]}, "1000+": { doc_count: n, docs: [...]} }