Hi,
I have the following query to pull some data from Elastic. The query works fine however I want to extend it a little bit by making sure I get the latest record per device per index. The current query will simply get the latest record from the three indices I'm querying but I want the latest record per index.
Increasing the size is not an option, because of the timestamp getting a record from each index will be a bit hit or miss. Of course I could simply set up a cron job to run the query three times, one time for each index, but that would be too easy and probably not very efficient either.
Edit: To clarify, each index contains the fields device_id. I want the latest document that contains device_id per index per device_id. So if I have 10 unique device_id's, the result should be 30 records, the 10 unique device_id's per index.
GET index1,index2,index3/_search?size=0
{
"query": {
"range" : {
"@ingest_time" : {
"gte": "now-10d"
}
}
},
"aggs": {
"device": {
"terms": {
"field": "device_id",
"size": 5000
},
"aggs": {
"latest_data": {
"top_hits": {
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"_source": {
"includes": [ "buch of fields" ]
},
"size" : 1
}
}
}
}
}
}