How to use the value in buckets_path to filter the whole document?

Elastic Stack Elasticsearch
#1

I have a DSL,i want to use the value return from buckets_path to filter the whole index.

can ES supports this kind of operation?In SQL SERVER like

select * from table where max(datatime) < (select max(datatime) from table where type = ‘A')

Sample Data:

 
post index_test_startlog/_bulk
{"index":{"_id":1}}
{"UniqueAuditRecord":"0035969ECC142BF0C00001687C3001","timestamp":"2022-06-21T00:00:01","src":"start","TransactionId":"0035969ECC13AE1201"}
{"index":{"_id":2}}
{"UniqueAuditRecord":"0035969ECC142BF0C00001687C3002","timestamp":"2022-06-21T00:00:02","src":"start","TransactionId":"0035969ECC13AE1201"}
{"index":{"_id":3}}
{"UniqueAuditRecord":"0035969ECC142BF0C00001687C3003","timestamp":"2022-06-21T00:00:03","src":"start","TransactionId":"0035969ECC13AE1201"}
{"index":{"_id":4}}
{"UniqueAuditRecord":"0035969ECC142BF0C00001687C3004","timestamp":"2022-06-21T00:00:04","src":"start","TransactionId":"0035969ECC13AE1201"}

post index_test_endlog/_bulk
{"index":{"_id":1}}
{"UniqueAuditRecord":"0035969ECC142BF0C00001687C3001","timestamp":"2022-06-21T00:00:01","src":"END","TransactionId":"0035969ECC13AE1201"}
{"index":{"_id":2}}
{"UniqueAuditRecord":"0035969ECC142BF0C00001687C3003","timestamp":"2022-06-21T00:00:03","src":"END","TransactionId":"0035969ECC13AE1201"}

MYDSL:
log assoicate with 2 indexes via alias

POST log/_search

{

 "size": 0,

 "aggs": {

  "per_month": {

   "date_histogram": {

    "field": "timestamp",

    "calendar_interval": "month"

   },

   "aggs": {

    "src_type": {

     "terms": {

      "field": "src.keyword"

     },

     "aggs": {

      "max_timestamp": {

       "max": {

        "field": "timestamp"

       }

      }

     }

    },

    "END_max_timestamp": {

     "bucket_script": {

      "buckets_path": {

       "end": "src_type['END'] > max_timestamp"

      },

      "script": " params.END"

     }

    }

   }

  }

 }

}



result :

"aggregations" : {

  "per_month" : {

   "buckets" : [

    {

     "key_as_string" : "2022-06-01T00:00:00.000Z",

     "key" : 1654041600000,

     "doc_count" : 6,

     "src_type" : {

      "doc_count_error_upper_bound" : 0,

      "sum_other_doc_count" : 0,

      "buckets" : [

       {

        "key" : "START",

        "doc_count" : 4,

        "max_timestamp" : {

         "value" : 1.655769604E12,

         "value_as_string" : "2022-06-21T00:00:04.000Z"

        }

       },

       {

        "key" : "END",

        "doc_count" : 2,

        "max_timestamp" : {

         "value" : 1.655769603E12,

         "value_as_string" : "2022-06-21T00:00:03.000Z"

        }

       }

      ]

     },

     "END_max_timestamp" : {

      "value" : 1.655769603E12

     }

    }

   ]

  }

 }

i want to use the value "END_max_timestamp"

#2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.