i have some nested fields and timestamps in documents a bit like:
{
"@timestamp": timestamp
"field":[
{
"key":"keyname",
"doc_count":count
},...
]
}
I'm trying to do a nested terms agg on field.key, with a date_histogram subagg on @timestamp, and sum agg on field.doc_count under that. The terms agg works great. the date_histogram agg shows correct times on its buckets, but every bucket is empty. Here's how it looks so far. I'm leaving the sum agg out for now - I expect that to be easy once I've nailed the date_histogram.
"aggs": {
"1": {
"nested": {
"path": "field"
},
"aggs": {
"2": {
"terms": {
"field": "field.key"
},
"aggs": {
"3": {
"date_histogram": {
"field": "@timestamp",
"interval": "hour",
"min_doc_count": 0,
"extended_bounds": {
"max": "now/h",
"min": "now/h-1d"
}
}
}
}
}
}
}
}
Responses currently appear thus:
"aggregations": {
"1": {
"doc_count": 2551,
"2": {
"doc_count_error_upper_bound": 32,
"sum_other_doc_count": 1280,
"buckets": [
{
"key": "key1",
"doc_count": 351,
"date_histogram": {
"buckets": [
{
"key_as_string": "2017-04-10T10:00:00.000Z",
"key": 1491818400000,
"doc_count": 0
},
{
"key_as_string": "2017-04-10T11:00:00.000Z",
"key": 1491822000000,
"doc_count": 0
},
<snip>
If I put it the other way around, with the nested and terms aggs underneath the date histogram, all is well. But I really want to aggregate on terms first if possible so that I get the top ten keys from the period, then count them per-interval (rather than a more erratic number of keys and a noisy graph).