How to get only one log per transaction that fits a match

Hi,

I want to know how many transactions have fields value between 0 and 3. For this the following query is good:

POST /filebeat-*/log/_search?scroll=1m&pretty
{
    "size": 100,
   "query": {
    
   "bool":{ 

      "must": [
        
		{ "match": {"concatenated": "FALSE"}},
        { "range": 
          { 
            "delay": 
              {
                "gte": 0,
                "lt":  3
              } 
          }
        },
        { "range": 
          { 
            "eventTimestamp.raw": 
              {
                "gte" : "now-999m/m",
                "lt" :  "now/m"
              } 
          }
        }
      ]
   }
  }
} 

The problem is that every transaction has around 5 logs, therefore, I will get: (around 5)*(the real amount of transactions have fields value between 0 and 3).

How can I get the exact amount of transactions have fields value between 0 and 3, every transaction has a field called transactionId and all of its logs have the same transactionId .

I saw that in the past I could've use this, but today there is no "search_type=count" so this does not work for me.

Maybe use the 'cardinality' aggregation on your transaction field ?

You mean something like this:

POST /filebeat-*/log/_search?scroll=1m&pretty
{
"size": 999,
"query": {

   "bool":{ 

      "must": [
        
		{ "match": {"concatenated": "FALSE"}},
        { "range": 
          { 
            "delay": 
              {
                "gte": 0,
                "lt":  3
              } 
          }
        },
        { "range": 
          { 
            "eventTimestamp.raw": 
              {
                "gte" : "now-99999m/m",
                "lt" :  "now/m"
              } 
          }
        }
      ]
   }
  }
}
?

See cardinality aggregation

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.