Order by peak value for a time-interval(like 5m) in terms aggregation

junkainiu · July 21, 2017, 11:47am

HI,
I am using elasticsearch 5.3 and need to calculate top 50 client_ip and order by 1m-peak-value in one day .
like this , I try to use a 1 size date_histogram to get the peak value,

"aggs": {
          "client_ip": {
            "terms": {
              "field": "ClientIp", 
              "order": {"timeline>pktlen": "desc"},
              "size": 50
            },
            "aggs": {
              "timeline": {
            	"date_histogram": {
            		"field": "ts",
            		"interval": "1m",
            		"order": {"pktlen": "desc"},
                    "size": 1
            	},
            	"aggs": {
            		"pktlen": {
                		"sum": {
                			"field": "PktLen_Sum"
                		}
            		}
            	}
              }
          }
        }
      }

Sadly, it gets two errors

Terms buckets can only be sorted on a sub-aggregator path that is built out of zero or more single-bucket aggregations within the path and a final single-bucket or a metrics aggregation at the path end
Date histogram not support size

So how can I get the top 50 client_ip ordered by peak value

system · August 18, 2017, 11:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Get top n with date histogram Elasticsearch	4	621	April 10, 2020
Order results of date Histogram Elasticsearch	1	921	August 22, 2018
Sorting a terms aggregation by sub-terms-aggregation cardinality aggregation Elasticsearch	1	805	August 26, 2017
Elasticsearch Aggregation - Return a list of array from documents found Elasticsearch	4	1344	January 6, 2021
Aggregation size 0 for top results Elasticsearch	14	12222	July 12, 2018

Order by peak value for a time-interval(like 5m) in terms aggregation

Related topics