How to keep on x no of recent documents based on field

saurabh_baid · August 26, 2019, 6:29pm

We are trying to evaluate elasticsearch for keeping up our events and very impressed so far.
Though there are two issues we need help with

We need to only keep X no of events per MAC address and old events should be purged. Since MAC could be in order of thousands obviously having separate indexes per mac is out of question.
I am assuming that this should be possible using aggregation and pipelines but now sure how
Is there a way we can get metric of No of query served during a time period, we need this info for our own benchmarking purposes.

Thanks in advance.

saurabh_baid · August 26, 2019, 8:15pm

So currently I am using following approach

Iterate through all the macs

For each mac

  "from": 1000,
          "size": 1,
          "query": {
              "bool": {
                  "must": [{"match_phrase": { "mac": mac  } }]
              }
          },
          "sort": {
              "eTime": {
                  "order": "desc"
              }
         }
      },

Once I have that

  POST events-index/_delete_by_query?conflicts=proceed
  {
    "query": {
      "bool" : {
        "must": [
            {"match_phrase": {"mac":  mac}},
            {"range": {"eTime" :{"lte":ts}}}
        ]
        
      }
    }
  }

Now this is certainly not the efficient way, Is there a way to combine all three steps into one aggregation/pipeline.

Topic		Replies	Views
Delete by query: keeping only the most recent N documents Elasticsearch	4	1602	February 19, 2021
Searching elastic unique user data in specific time in elasticsearch Elasticsearch	3	404	July 6, 2017
Store last X documents per id Elasticsearch	11	285	May 3, 2024
Last N documents aggregation Elasticsearch	1	456	April 2, 2018
How to get last X documents sorted by a timestamp Elasticsearch	13	7401	August 17, 2019

How to keep on x no of recent documents based on field

Related topics