How to use aggregations with filter?


(Markus Breuer) #1

kibana uses a facet to capture the result set. I want to use an
aggregation to fetch the same result.

The original query from kibana looks like this:

{
"facets" : {
"0" : {
"date_histogram" : {
"field" : "@timestamp",
"interval" : "1d"
},
"global" : true,
"facet_filter" : {
"fquery" : {
"query" : {
"filtered" : {
"query" : {
"query_string" : {
"query" : "result:SUCCESS"
}
},
"filter" : {
"bool" : {
"must" : [{
"range" : {
"@timestamp" : {
"from" : 1393137170765,
"to" : 1396195200000
}
}
}
]
}
}
}
}
}
}
}
},
"size" : 0
}

The aggregation without filter critera is here:

{
"aggregations": {
"0": {
"date_histogram": {
"field": "@timestamp",
"interval": "1d"
}
}
},
"size": 0
}

But how should the filter criteria be applied here? In mailinglist
archive I found a reference to
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/search-aggregations-bucket-filter-aggregation.html.

I created the following query which seems to return result. Is this the
correct way to filter aggregated data?

{
"aggs": {
"timerange": {
"filter": {
"range": {
"@timestamp": {
"gt": 0
}
}
},
"aggregations": {
"0": {
"date_histogram": {
"field": "@timestamp",
"interval": "1d"
}
}
}
}
},
"size": 0
}

Is this the best/most performant way to capture data from large index?
Or are there alternatives?


(Markus Breuer) #2

Can someone see this post on mailinglist? I see "currently not accepted by mailing list", but I am subribed to it.


(system) #3