Perform aggregation on a modified term

manropinxu · April 17, 2023, 2:11pm

I'd like to perform an aggregation grouping by a modified version of amessage field.

I have lots of messages like

invalid x with uuid=1e659cfc-a375-4a8a-88f5-467419fdf87d
invalid x with uuid=49c4742e-0368-49a2-aab4-7f59b2e89ec8

I want them to end up in the same aggregation bucket by replacing the uuid with ''
the idea would be something in the direction of:

{
            "size": 0,
            "query": {
            },
            "aggs": {
                "my_aggregation": {
                    "terms": {
                        "size": 1000,
                        "field": "message.keyword.replace(uuid_regex,'<UUID>')"
                    }
                }
            }
        }

system · May 15, 2023, 2:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.