Hi,
I am looking for a way to query for changes in my elasticsearch documents. I have devices which periodically check in with their on/off status so my document will look something like this:
How can I write a query which will return all the documents where the values for on_status or error have changed from their previous values (ie. the device turned off)? What about if I want to list every time error went up from 0/back down to 0?
This is not possible in the way you describe. Elasticsesarch does not track changes to documents.
However, you could probably use a different approach: Treat each status change as a separate document. Then create an aggregation query over a recent time frame that aggregates by device ID. For each of the devices, aggregate on the status field. Devices that have more than one status value have switched state. A top-hits aggregation (sorted by date) would return the current status, and you can infer the switch direction from there.
How do you control your document id?
If you can control the document ID, you could do a simple trick with this by using @timestamp.
You update the document only if you have the device up. All other devices will not get the update and therefore you can assume that their status is down. So if the device will not check in, it will not update the document and you can query for something that is for example: now-2h/now-4h.
Another way is just to create two indexes, one for devices up, another for devices down.
or you create array with the document check-in and its status and you can retain the history
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.