I have a bunch of user generated events in my ES cluster. Each event
contains the user's UUID.
I'm trying to write a query that buckets users into low, medium and high
activity based on the number of events each user generates.
I'm using this query to get the number of events generated by each user:
{
"aggs" : {
"users" : {
"terms" : { "field" : "user_id.raw" }
}
}
}
This works fine, but I need to further bucket the results into a range
query using the previous results "doc_count", so that I can sort each user
into a low, med, high activity bucket. The buckets are fixed (at least for
now). so low=0-5, med=5-10 high=10+
I tried a bunch of ways to access the doc_count field using a
sub-aggregation but never manage to get it work. I figured this would be a
fairly common use case, but can't seem to crack it, so any help would be
much appreciated.
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/d75e8326-5eec-452d-8221-ab38c5f86604%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.