Hello,
From time to time I poll from an API the state of a bunch of virtual machines. In the virtual machine type mapping I have a "cpuCount" integer field. Let's say I want to sum the latest "cpuCount" for a bunch of virtual machines.
As of now with top_hits I can get the latest "cpuCount" for each Vm after filtering with a query and a terms aggregation like this:
GET ovm-*/_search
{
"size": 0,
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "type:Vm AND environment: Production AND project: Phase1 AND vmRunState:RUNNING",
"analyze_wildcard": true
}
}
]
}
},
"aggs": {
"0":{
"terms": { "field" : "id.name" },
"aggs": {
"1": {
"top_hits": {
"docvalue_fields": [
"cpuCount"
],
"_source": "cpuCount",
"size": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
}
}
}
The answer is like this:
{
"took": 34,
"timed_out": false,
"_shards": {
"total": 15,
"successful": 15,
"failed": 0
},
"hits": {
"total": 2136,
"max_score": 0,
"hits": []
},
"aggregations": {
"0": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"1": {
"hits": {
"total": 534,
"max_score": null,
"hits": [
{
"_index": "ovm-2017.04.06",
"_type": "Vm",
"_id": "AVtD9znQHF6B64DZCfqU",
"_score": null,
"_source": {
"cpuCount": 8
},
"fields": {
"cpuCount": [
8
]
},
"sort": [
1491493926958
]
}
]
}
},
"key": "VM1",
"doc_count": 534
},
{
"1": {
"hits": {
"total": 534,
"max_score": null,
"hits": [
{
"_index": "ovm-2017.04.06",
"_type": "Vm",
"_id": "AVtD9znQHF6B64DZCfqY",
"_score": null,
"_source": {
"cpuCount": 8
},
"fields": {
"cpuCount": [
8
]
},
"sort": [
1491493926959
]
}
]
}
},
"key": "VM2",
"doc_count": 534
},
{
"1": {
"hits": {
"total": 534,
"max_score": null,
"hits": [
{
"_index": "ovm-2017.04.06",
"_type": "Vm",
"_id": "AVtD9znQHF6B64DZCfqX",
"_score": null,
"_source": {
"cpuCount": 8
},
"fields": {
"cpuCount": [
8
]
},
"sort": [
1491493926959
]
}
]
}
},
"key": "VM3",
"doc_count": 534
},
{
"1": {
"hits": {
"total": 534,
"max_score": null,
"hits": [
{
"_index": "ovm-2017.04.06",
"_type": "Vm",
"_id": "AVtD9znQHF6B64DZCfqa",
"_score": null,
"_source": {
"cpuCount": 8
},
"fields": {
"cpuCount": [
8
]
},
"sort": [
1491493926959
]
}
]
}
},
"key": "VM4",
"doc_count": 534
}
]
}
}
}
There I have that every VM have 8 cpuCount as its latest value, which is fine, but I don't know how to sum that later to have "32" as the final value. I tried nesting a sum in the top_hits aggregation but it doesn't seem to be working. If I place it as a sibling agg to the top_hit it throws a big number obviously cause it is not adding the latest cpuCount but all the cpuCount values for those 4 VMs.
Any thoughts would be appreciated.
Thank you,
N