I have this json document:
{"docs":[{"id":"1","abono":10000,"cargo":0,"descripcion":"Abono"},{"id":"2","abono":0,"cargo":23000,"descripcion":"Pago Remuneraciones","Remuneracions":[{"id":1001,"empleado_id":111,"monto_liquido":12000,"CartolaDocumento":{"cartola_id":555555,"monto_convertido":12000},"Prorratas":[{"cuenta_id":333333,"monto":12000 }],"Empleado":{"id":111,"nombre":"Alvaro"}},{"id":1002,"empleado_id":222,"monto_liquido":11000,"CartolaDocumento":{"cartola_id":555555,"monto_convertido":11000},"Prorratas":[{"cuenta_id":333333,"monto":11000}],"Empleado":{"id":222,"nombre":"Santiago"}}]}]}
I send this json document to Elasticsearch with logstash with this configuration:
input
{
file { path => "/tmp/doc.json" start_position => "beginning" ignore_older => 15552000 codec => "json" add_field => { "producto" => "lalala" } }
}
filter
{
if [producto] == "lalala"
{
split { field => "docs" }
mutate { remove_field => ["host", "event", "log"] }
}
}
output
{
if [producto] == "lalala"
{
elasticsearch { index => "%{producto}" hosts => ["https://1.1.1.1:9200"] user => "shipper" password => "${shipper}" ssl_enabled => true ssl_certificate_authorities => "/etc/certs/ca/ca_twd.crt" action => "update" doc_as_upsert => true retry_on_conflict => "10" document_id => "%{[docs][id]}" }
}
}
That creates two documents in Elasticsearch. I want to create a visualization that affects the second document. This is the document:
{
"_index": "lalala",
"_id": "2",
"_version": 1,
"_score": 0,
"_source": {
...
,
"docs": {
"id": "2",
"abono": 0,
"descripcion": "Pago Remuneraciones",
"Remuneracions": [
{
"monto_liquido": 12000,
"Empleado": {
"id": 111,
"nombre": "Alvaro"
},
"CartolaDocumento": {
"monto_convertido": 12000,
"cartola_id": 555555
},
"id": 1001,
"empleado_id": 111,
"Prorratas": [
{
"cuenta_id": 333333,
"monto": 12000
}
]
},
{
"monto_liquido": 11000,
"Empleado": {
"id": 222,
"nombre": "Santiago"
},
"CartolaDocumento": {
"monto_convertido": 11000,
"cartola_id": 555555
},
"id": 1002,
"empleado_id": 222,
"Prorratas": [
{
"cuenta_id": 333333,
"monto": 11000
}
]
}
],
"cargo": 23000
}
},
"fields": {
"docs.Remuneracions.Prorratas.monto": [
12000,
11000
],
"docs.descripcion": [
"Pago Remuneraciones"
],
"producto.keyword": [
"chipax"
],
"docs.Remuneracions.Empleado.nombre": [
"Alvaro",
"Santiago"
],
"@version.keyword": [
"1"
],
"docs.Remuneracions.monto_liquido": [
12000,
11000
],
"docs.descripcion.keyword": [
"Pago Remuneraciones"
],
"producto": [
"lalala"
],
"docs.id": [
"2"
],
...
"docs.Remuneracions.CartolaDocumento.monto_convertido": [
12000,
11000
],
"docs.Remuneracions.Empleado.nombre.keyword": [
"Alvaro",
"Santiago"
],
"docs.cargo": [
23000
],
"docs.Remuneracions.id": [
"1001",
"1002"
],
"docs.Remuneracions.Prorratas.cuenta_id": [
"333333",
"333333"
],
"docs.Remuneracions.empleado_id": [
"111",
"222"
],
"@version": [
"1"
],
"docs.Remuneracions.CartolaDocumento.cartola_id": [
"555555",
"555555"
],
"docs.abono": [
0
],
"docs.Remuneracions.Empleado.id": [
"111",
"222"
]
}
}
Let's say I want to show docs.Remuneracions.monto_liquido of each docs.Remuneracions.Empleado.nombre.keyword (Alvaro, Santiago), meaning it shows alvaro:12000, santiago:11000.
How can I do that? I'm asking because if I create a search like this:
POST /lalala/_search
{
"size": 0,
"aggs": {
"total_por_empleado": {
"terms": {
"field": "docs.Remuneracions.Empleado.nombre.keyword"
},
"aggs": {
"total_monto_liquido": {
"sum": {
"field": "docs.Remuneracions.monto_liquido"
}
}
}
}
}
}
shows 23000 for each (Alvaro and Santiago), instead of 12000 and 11000.
Help!