Help creating multiple bucket aggregation

Elastic Stack Kibana
1

I've been having some trouble recreating an aggregation in kibana. I have the following elasticsearch agg I would like to recreate but I can't figure out how to make sub buckets and take the max from them in kibana (v6):

{
  "query": {
    "range": {
      "time_stamp": {
        "lt": "now",
        "gte": "now-1d"
      }
    }
  },
  "aggs": {
    "events_by_host": {
      "terms": {
        "field": "cell_host_the_app"
      },
      "aggs": {
        "events_by_date": {
          "date_histogram": {
            "field": "time_stamp",
            "interval": "30m"
          },
          "aggs": {
            "total_cpu": {
              "sum": {
                "field": "cpu_usage
              }
            },
            "max_cpu": {
              "max": {
                "field": "cpu_usage"
              }
            }
          }
        },
        "max_aggregated_cpu": {
          "max_bucket": {
            "buckets_path": "events_by_date>total_cpu"
          }
        }
      }
    }
  }
}
2

hi @Motez_Musa,

you can create sub-aggregations by adding more buckets in the Data panel. They are evaluated hierarchically. For the leafs, (in your case, the total_cpu and max_cpu, you would create metrics.

For example, using the Data Table aggregation I can create this query:

image
image.png1119×665 31.9 KB

Which would result in a query that pretty much looks like yours. The U2 -> X doesn't let you specify the identifiers for the aggregations, Kibana uses incrementing integers. so for you, they would map to

2 -> events_by_host
3 -> events_by_date
1 -> total_cpu
4 -> max_cpu

(of course, the field names in my index are different from yours)

{
  "size": 0,
  "_source": {
    "excludes": []
  },
  "aggs": {
    "2": {
      "terms": {
        "field": "geo.dest",
        "size": 5,
        "order": {
          "1": "desc"
        }
      },
      "aggs": {
        "1": {
          "sum": {
            "field": "bytes"
          }
        },
        "3": {
          "date_histogram": {
            "field": "@timestamp",
            "interval": "1M",
            "time_zone": "America/New_York",
            "min_doc_count": 1
          },
          "aggs": {
            "1": {
              "sum": {
                "field": "bytes"
              }
            },
            "4": {
              "max": {
                "field": "memory"
              }
            }
          }
        }
      }
    }
  },
  "stored_fields": [
    "*"
  ],
  "script_fields": {},
  "docvalue_fields": [
    "@timestamp",
    "relatedContent.article:modified_time",
    "relatedContent.article:published_time",
    "utc_time"
  ],
  "query": {
    "bool": {
      "must": [
        {
          "match_all": {}
        },
        {
          "range": {
            "@timestamp": {
              "gte": 1366837521516,
              "lte": 1524603921516,
              "format": "epoch_millis"
            }
          }
        }
      ],
      "filter": [],
      "should": [],
      "must_not": []
    }
  }
}
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.