How to Sum two or more integer from different logs

Farid_N · April 10, 2021, 9:32am

Hi
I have 2logs:

{
  "_index": "monitoring",
  "_type": "_doc",
  "_id": "1",
  "_version": 1,
  "_score": null,
  "_source": {
    "jobtypedescription": "Monitor",
    "@version": "1",
    "jobtypeid": 1,
    "jobactionid": 100030,
    "@timestamp": "2021-04-10T02:30:00.564Z",
    "Count": 1308,
    "ApplicationName": "ExtendSubscription",
    "actiondescription": "Zabbix"
  }

The other one is:

{
  "_index": "monitoring",
  "_type": "_doc",
  "_id": "2",
  "_version": 1,
  "_score": null,
  "_source": {
    "jobtypedescription": "Monitor",
    "@version": "1",
    "jobtypeid": 1,
    "jobactionid": 100030,
    "@timestamp": "2021-04-10T02:30:00.564Z",
    "Count": 6131,
    "ApplicationName": "ExtendSubscription",
    "actiondescription": "Zabbix"
  }

As you see there is an integer filed name Count in both logs (1308 & 6131). I need a query to return the SUM of this Count. For instance I want "total" : 7439

What will the query look like?

Thanks in advanced

Farid_N · April 10, 2021, 9:37am

I searched the link bellow:

Is this correct?

Farid_N · April 10, 2021, 11:21am

This query works:

GET /job-*/_search
{
  "query": {
    "constant_score": {
      "filter": {
        "match":{"jobtypeid":"1"}
      }
    }
  },
  "aggs": {
    "total_Count": {"sum": {
      "field": "Count"
    }
    }
  }
}

But it has a problem, I just want to aggerate only last 24hours... So I try this:

GET /job-*/_search
{
  "query": {
    "constant_score": {
      "filter": {
        "match":{"jobtypeid":"1"}
      }
    },
    "range": {
      "@timestamp": {
        "gte": "now-24h",
        "lte": "now"
      }
    }
  },
  "aggs": {
    "total_Count": {"sum": {
      "field": "Count"
    }
    }
  }
}

But I faced with this error:

  "error" : {
    "root_cause" : [
      {
        "type" : "parsing_exception",
        "reason" : "[constant_score] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
        "line" : 8,
        "col" : 5
      }
    ],
    "type" : "parsing_exception",
    "reason" : "[constant_score] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
    "line" : 8,
    "col" : 5
  },
  "status" : 400
}

Why I can not use this range API ?!? I used this range before (for other queries)

dadoonet · April 10, 2021, 11:27am

You need to put both queries (match and range) in a bool query instead.

Farid_N · April 10, 2021, 11:56am

Oh I forgot...
Thank you so much

system · May 8, 2021, 11:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.