Hi all
I'm testing ES aggregation function , currently I use snmp polling as source date
Device : forti 100D
Here is my query:
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "1520471015615",
"lte": "1520472815615",
"format": "epoch_millis"
}
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "type_instance: "ae0.1" AND collectd_type: "forti_in""
}
}
]
}
},
"aggs": {
"2": {
"date_histogram": {
"interval": "15s",
"field": "@timestamp",
"min_doc_count": 0,
"format": "epoch_millis"
},
"aggs": {
"1": {
"avg": {
"field": "value"
}
},
"3": {
"derivative": {
"buckets_path": "1"
}
}
}
}
}
}
Cause the raw data is counter type , so I need use derivative to get speed,
then I want to query when speed is over some value.
here is the result
{
"error": {
"root_cause": [],
"type": "search_phase_execution_exception",
"reason": "",
"phase": "fetch",
"grouped": true,
"failed_shards": [],
"caused_by": {
"type": "script_exception",
"reason": "runtime error",
"script_stack": [
"params.final > 100000",
" ^---- HERE"
],
"script": "params.final > 100000",
"lang": "painless",
"caused_by": {
"type": "null_pointer_exception",
"reason": null
}
}
},
"status": 503
}
I think the reason is the first derivative value was null , so is there anyway to fix this? or other better solution ? thanks!!