How to apply a histogram aggregation from the set of doc_counts from a previous aggregation?

pushshift · October 3, 2020, 11:19pm

I ran a terms aggregation and got back a bunch of buckets with keys and doc_counts. I want to treat the doc_counts from all the buckets returned as the input for a histogram aggregation (treat the doc_counts as a set). This is for analysis of API logs to determine how many different clients (IP addresses) use the API on a daily basis. So I would like to end up with data that would tell me 800 clients make 0-100 hits, 900 clients make 100-200 hits, etc.

How can this be accomplished? Would this be a sub-aggregation? Pipeline? Nested?

TL;DR: How to apply a histogram aggregation from the results of a terms aggregation (using the doc_counts as a set for input into the histogram aggregation.

Thank you!

spinscale · October 5, 2020, 9:25am

Hey,

from my first read, I would guess this is a histogram aggregation within the terms aggregation. The histogram agg, then works on all the documents that are part of the terms agg bucket - which I think is what you are after, correct?

--Alex

Mark_Harwood · October 5, 2020, 9:28am

Sounds like this would be the cardinality agg on the IP underneath the histogram so :

GET my_index/_search
{
  "size":0,
  "aggs": {
	"days": {
	  "date_histogram": {
		"field": "date",
		"interval": "day"
	  },
	  "aggs":{
		"daily users":{
		  "cardinality": {
			"field": "IP"
		  }
		}
	  }
	}
  }
}