I have this aggregation:
{ "query": { "range": { "time_stamp": { "lt": "now", "gte": "now-1d" } } }, "size": 0, "aggs": { "events_by_host": { "terms": { "field": "cell_host_the_app" }, "aggs": { "events_by_date": { "date_histogram": { "field": "time_stamp", "interval": "30m" }, "aggs": { "total_cpu": { "sum": { "field": "cpu_usgae_percentage" } }, "max_cpu": { "max": { "field": "cpu_usgae_percentage" } } } }, "max_aggregated_cpu": { "max_bucket": { "buckets_path": "events_by_date>total_cpu" } } } } } }
I'm trying to figure out a way to return another field (called app_name) from the max_cpu sub aggregation that is performed. Is this possible?