Query DSL: Aggregation of fields and also value of fields

kelk · September 24, 2021, 1:30pm

My data structure is as follows

username,department,salary
bob,finance,2000
joe,HR,2200
chan,finance,3000
bobby,finance,2500
don,HR,1800

I was looking for a Splunk's equivalent command of

...  | stats values(salary) by department

So basically the output to be values of the salary aggregated by department

finance,"2000,3000,2500"
hr,"2200,1800"

How to do above aggregation in Watcher/DSL?

dadoonet · September 24, 2021, 2:00pm

It looks like to me a terms agg with a top_hits sub aggregation.

kelk · September 24, 2021, 3:11pm

thanks for the hint. Let me try and see how it goes

Edit: Above worked. Thanks David

Topic		Replies	Views
Aggregate watchers over multiple fields for term aggregation Elasticsearch elastic-stack-alerting	4	3235	September 21, 2018
How to get the value in aggregations in watcher Kibana	2	1039	October 6, 2022
Get aggregation value and source field in one st Elasticsearch	2	455	March 16, 2018
Search Query on es aggregates Elasticsearch	2	565	July 5, 2017
Sub Aggregated Field \| Watcher Action Elasticsearch Elasticsearch	2	376	September 23, 2019