My bucket-script-based Transform is not showing the aggregation fields in the destination index

Hi,

I'm trying to make my first transform and I'm not getting the results I expect. My source has multiple events correlated by a command_unique_id and I want to find the duration of these events by getting the timestamp difference between the last event and the first. This feels very similar to the Getting duration by using bucket script example, but my output index is not showing any of my aggregate fields. Hopefully, I'm missing something obvious

My pivot configuration object:

{
  "group_by": {
    "command_unique_id": {
      "terms": {
        "field": "command_unique_id"
      }
    }
  },
  "aggregations": {
    "start-time": {
      "min": {
        "field": "timestamp"
      }
    },
    "end-time": {
      "max": {
        "field": "timestamp"
      }
    },
    "time_duration": {
      "bucket_script": {
        "buckets_path": {
          "start": "start-time",
          "end": "end-time"
        },
        "script": "params.end - params.start"
      }
    }
  }
}

One of the documents in my destination index:

When developing the transform, it is helpful to use the transform _preview API. By using this, you can more easily see how adjustments to the scripts will affect results, without actually needing to create the transform and destination index. Preview transform API | Elasticsearch Guide [7.15] | Elastic

From looking at the documented example, it expects start-time.value and end-time.value in the bucket_script. Have you tried this?

Thank you! The lack of the .value on the end was part of my issue. The other issue is that I was using the Kibana UI and for some reason it complained of a syntax error when including the "@" when specifying the @timestamp field. However, when I switched to using the dev console, it required the "@" and worked well with it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.