I want to fetch all the records of avg cpu and memory usage for a particular set of hosts,with one hour of granularity.
I'm using below query
{ "size": 0, "_source" : ["@timestamp","beat.name","system.memory.used.pct","system.cpu.total.norm.pct"], "aggs": { "4": { "date_histogram": { "field": "@timestamp", "interval": "1h", "time_zone": "US/Eastern", "min_doc_count": 1 }, "aggs": { "Avg CPU": { "avg": { "field": "system.cpu.total.norm.pct" } }, "Avg Memory": { "avg": { "field": "system.memory.used.pct" } } } } }, "query": { "bool": { "must": [ {"range" : {"@timestamp" : { "gte": "now-4h","lte": "now"}}} ], "filter": [ { "bool": { "should": [ { "query_string": { "fields": ["beat.name"], "query": "host*" } } ] } } ] } } }
Is this the right approach or is there any other way ?
My problem with this query is, i need to fetch hostname details as well but it doesnt get captured in aggregations,it only gives CPU and Mem details,i may need to add one more bucket under aggregations to get hostname details. Is there any better way to do it?