Nested aggregation on ctx.payload.hits

erickiersky · March 19, 2018, 3:03pm

Hello, Elastic Fans!

I am trying to use this example as a starting point:

The changes I am making are detecting a steep rise, not a drop. And for the input, I need to aggregate a bucket that is simply the average document count in the time spans. I suppose the total might work as well.

I am having trouble with:
"avg": { "field": "ctx.payload.hits" }

which yields an error:
"result": {
"execution_time": "2018-03-19T14:25:17.681Z",
"execution_duration": 1,
"input": {
"type": "search",
"status": "failure",
"reason": "UnknownNamedObjectException[Unknown BaseAggregationBuilder [avg_errors]]"

How should I write this?
Thank you!
Eric

See the rest of the input section below.

  "input": {
    "search": {
      "request": {
        "indices": "logs-pmc-app-*",
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                      "from": "now-10m",
                      "to": "now"
                  }
                }
              }
            }
          },
          "aggs": {
            "five_min": {
              "filters": {
                "filters": {
                  "latest5": {
                    "range": {
                      "@timestamp": {
                          "gte": "now-5m",
                          "lte": "now"
                      }
                    }
                  },
                  "previous5": {
                    "range": {
                      "@timestamp": {
                          "gte": "now-10m",
                          "lte": "now-5m"
                      }
                    }
                  }
                }
              }
            },
            "aggs": {
              "avg_errors": {
                "avg": {
                  "field": "ctx.payload.hits"
                }
              }
            }
          }
        }
      }
    }
  },

spinscale · March 21, 2018, 5:34pm

I think your indentation is wrong (humans are not the worlds best JSON parsers...).

The "aggs/avg_errors" part needs to be within the five_min structure.

--Alex

erickiersky · March 21, 2018, 5:57pm

Thank you for the reply. The good news is I solved this a little earlier today using different techniques. I eliminated that aggs/error section, then used docs_count property references in the condition:

  "condition": {
    "script": {
      "source": "return ctx.payload.aggregations.five_min.buckets.latest5.doc_count > 2 * ctx.payload.aggregations.five_min.buckets.previous5.doc_count",
      "lang": "painless"
    }

I had to guess that that “doc_count” property existed, after reading a lot of related material. I did not find detailed comprehensive documentation that explains how all of the this.that.other style references work.

system · April 18, 2018, 5:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.