Perform aggregation on the result of a subquery aggregation

Elastic Stack Elasticsearch
1

Hi,

I'm newbie with Elastic search. I'm validating Elasticsearch regarding our
needs.

Lets say I want to monitor disk usage of my VMs.

  • vm1 and vm2 are in Platform PF_A, vm3 is in platform PF_B

The mapping I declared (can be pasted in sense)
PUT /example_201408/vm/_mapping
{
"_timestamp" : {
"enabled" : true,
"default" : null
},
"properties": {
"date": {
"type": "date"
},
"platform": {
"type": "string"
},
"disk-used": {
"type": "float"
}
}
}

once a day, I collect the disk usage for all my vms and I store data in
E.S:
POST /example_201408/vm/vm1_20140825
{
"_timestamp": "2014-08-25T14:02:12.000Z",
"ip": "192.168.0.1",
"platform" : "pf_A",
"disk-used": 10
}
POST /example_201408/vm/vm2_20140825
{
"_timestamp": "2014-08-25T14:02:12.000Z",
"ip": "192.168.0.2",
"platform" : "pf_A",
"disk-used": 30
}
POST /example_201408/vm/vm3_20140825
{
"_timestamp": "2014-08-25T14:02:12.000Z",
"ip": "192.168.0.3",
"platform" : "pf_B",
"disk-used": 40
}

POST /example_201408/vm/vm1_20140826
{
"_timestamp": "2014-08-26T14:02:12.000Z",
"ip": "192.168.0.1",
"platform" : "pf_A",
"disk-used": 15
}

I would like to have

  • *I successfully lookup data per ip, grouped by platform (in
    buckets) at specified date (now) *using this query

GET /example_201408/_search?search_type=count&pretty=true
{
"aggs": {
"current_pf_statuses": {
"terms": {
"field": "platform"
},
"aggs": {
"current_ip_statuses": {
"terms": {
"field": "ip"
},
"aggs": {
"current_status_per_pf": {
"top_hits": {
"sort": [
{
"_timestamp": {
"order": "desc"
}
}
],
"size": 1
}
}
}
}
}
}
}
}

*I don't know how to sum disk-usage per Platform at specified date. *

I would imagine to use the result of the first query in another one that
would aggregate over the platform field but I don't know how to do?

Is it possible to aggregate data per buckets ?

Regards,
Guillaume

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/8096f21c-a0ac-4b07-af5d-0ab36f1f43aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

1 Like