How do I query last 1 hour of data and order it based on time?

blueren · August 5, 2018, 5:50pm

Hello,

I have data in ES such as:

@timestamp --> Timestamp field
record.hostIP 
record.destIP
record.port
record.application
etc...

I would like to plot this on a graph in js and hence need time on the X axis and count of record.<> on the Y axis.

This query gets me docs sorted by timestamp vs count (of all documents).
What do I want to do if I need count of record.application in the last 1 hour, sorted by timestamp from earliest to latest?

GET _search
{
        "size": "0",
        "aggs": {
            "oneHourTimeRange": {
                "filter": {
                    "range": {
                        "@timestamp": {
                            "gte": "now-60m",
                            "lte": "now"
                        }
                    }
                },
                "aggs": {
                    "totalTraffic": {
                    "terms": {
                        "field": "@timestamp",
                        "size": 500,
                        "order": { "_key": "asc" } 
                    }
                }
            }
        }  
    }
}

blueren · August 6, 2018, 5:02pm

I would really appreciate done some helpful tips over this!

Thanks

system · September 3, 2018, 5:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.