[Kibana 5.5.2] condition in aggregated field with top_hits

salim_ts86 · January 10, 2018, 5:19pm

hello everyone,

I'm using a visualisation to contrôle the received documents in ES (with top_hits on meta.localtime field).

the generated request:

{
  "query": {
"bool": {
  "must": [
    {
      "match_all": {}
    },
    {
      "range": {
        "ended": {
          "gte": 1507827469811,
          "lte": 1515603469811,
          "format": "epoch_millis"
        }
      }
    }
  ],
  "must_not": []
}
  },
  "size": 0,
  "_source": {
"excludes": []
  },
  "aggs": {
"2": {
  "terms": {
    "field": "meta.srcMaster",
    "size": 9999,
    "order": {
      "_term": "desc"
    }
  },
  "aggs": {
    "3": {
      "terms": {
        "field": "@policy",
        "size": 99999,
        "order": {
          "_term": "desc"
        }
      },
      "aggs": {
        "1": {
          "top_hits": {
            "docvalue_fields": [
              "meta.localtime"
            ],
            "_source": "meta.localtime",
            "size": 1,
            "sort": [
              {
                "meta.localtime": {
                  "order": "desc"
                }
              }
            ]
          }
        }
      }
    }
  }
}
  }
}

I want to filter results to get lines with the top_hits aggregation "1" lower then "now-24h"
I tried ti use "lt":"now-24h". But the top_hits can't parse the query.

Thanx in advance for the help.

Regards

Marius_Dragomir · January 10, 2018, 6:46pm

Hello,

Would using a filter on meta.localtime < now-24h get you your desired results? I don't really understand exactly what you are trying to do so I cannot reproduce the scenario locally in order to test this.

salim_ts86 · January 11, 2018, 10:26am

Hello Marius,

My visualisation contrôle the last received documents concerning my two fields SrcMaster and @policy. To do so i'm using the top_hit aggregation in kibana

I'm trying to filter this visualisation and keep in the table only the couple (SrcMaster/Policy) with last received document lower then now-24h. Since i was not able to do it directly by filtering the aggregated field in kibana, i'm trying to get something using the Dev tools.

Hope it was clear.

Thank you for the help.
salim

system · February 8, 2018, 10:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.