Q on search aggregation

stefws · October 15, 2016, 11:21pm

Newbie in querying ES, I'm wondering if a search, which only returns aggregation data, something like this:

{
  "query": {
    "filtered": {
      "query": {
        "query_string": {
          "query": "<some query>"
        }
      },
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "@timestamp": {
                  "gte": <epoch low>,
                  "lte": <epoch high>,
                  "format": "epoch_millis"
                }
              }
            }
          ],
          "must_not": []
        }
      }
    }
  },
  "size": 0,
  "aggs": {
    "data": {
      "terms": {
        "field": "<bucket field>",
        "size": 5,
        "order": {
          "_count": "desc"
        }
      }
    }
  }
}

could be constrained further to only return data if bucket counts are above a threshold or in a range and if so how?

TIA

# curl -s -XGET 'http://127.0.0.1:9200/<index>/<type>/_search' -d@es.queries/uniq.boxes | jq .aggregations.data.buckets 
[
  {
    "key": "200000724940",
    "doc_count": 1191
  },
  {
    "key": "200001272797",
    "doc_count": 1189
  },
  {
    "key": "200001192179",
    "doc_count": 106
  },
  {
    "key": "9025586118600015778",
    "doc_count": 15
  },
  {
    "key": "200001169953",
    "doc_count": 10
  }
]

nik9000 · October 15, 2016, 11:46pm

Does the bucket selector aggregation
do the job for you?

stefws · October 16, 2016, 12:08am

Thanks, looks like it might, will try it....

stefws · October 16, 2016, 12:57am

Yeap, thanks, works when enabling inline script+search with this eg.

  "aggs": {
    "data": {
      "terms": {
        "field": "<bucket field>",
        "size": 5,
        "order": {
          "_count": "desc"
        }
      },
      "aggs": {
        "data_bucket_filter": {
          "bucket_selector": {
            "buckets_path": { "cnt": "_count" },
            "script": "cnt > 500"
          }
        }
      }
    }

makes it now return:

# curl -s -XGET 'http://127.0.0.1:9200/<index>/<type>/_search' -d@es.queries/uniq.boxes | jq .aggregations.data.buckets 
[
  {
    "key": "200000724940",
    "doc_count": 1191
  },
  {
    "key": "200001272797",
    "doc_count": 1189
  }
]