I'm using an Elasticsearch query (6.7) to find the maximum number of records returned for a particular service. My aggregation query is working great, but I need to also find the time when this maximum occurred.
If I specify docvalue_fields or just look in _source, I can see the @timestamp in the query results. However, I only need the maximum value(s) and when these maximums were returned. Is there any way to do this?
{
"size": 0,
"query": {
"bool": {
"must": [
{
"terms": {
"source": [
"export",
"collection"
]
}
},
{
"match": {
"name": "COLLECTION.RecsReceived"
}
},
{
"match": {
"component": "DATA"
}
},
{
"range": {
"@timestamp": {
"gte": "now-14d"
}
}
},
{
"range": {
"count": {
"gt": 0
}
}
}
]
}
},
"aggs": {
"hostname_group": {
"terms": {
"field": "hostname.keyword"
},
"aggs": {
"instance_group": {
"terms": {
"field": "instance.keyword"
},
"aggs": {
"service_group": {
"terms": {
"field": "service.keyword"
},
"aggs": {
"records_received": {
"max": {
"field": "count"
}
}
}
}
}
}
}
}
}
}
}
I get output like this (truncated):
{
"took": 10,
"timed_out": false,
"_shards": {
"total": 7,
"successful": 7,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 13116,
"max_score": 0.0,
"hits": []
},
"aggregations": {
"hostname_group": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "aln-dev",
"doc_count": 13116,
"instance_group": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "2",
"doc_count": 8207,
"service_group": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 2314,
"buckets": [
{
"key": "sms",
"doc_count": 590,
"records_received": {
"value": 160.0
}
},
{
"key": "voice",
"doc_count": 590,
"records_received": {
"value": 3778.0
}
},