Query DSL: Aggregation of fields and also value of fields

kelk · September 24, 2021, 1:30pm

My data structure is as follows

username,department,salary
bob,finance,2000
joe,HR,2200
chan,finance,3000
bobby,finance,2500
don,HR,1800

I was looking for a Splunk's equivalent command of

...  | stats values(salary) by department

So basically the output to be values of the salary aggregated by department

finance,"2000,3000,2500"
hr,"2200,1800"

How to do above aggregation in Watcher/DSL?

dadoonet · September 24, 2021, 2:00pm

It looks like to me a terms agg with a top_hits sub aggregation.

kelk · September 24, 2021, 3:11pm

thanks for the hint. Let me try and see how it goes

Edit: Above worked. Thanks David

system · October 22, 2021, 3:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trying to aggregate marvel watch data Elasticsearch elastic-stack-alerting	3	799	July 6, 2017
Aggregate watchers over multiple fields for term aggregation Elasticsearch elastic-stack-alerting	4	3179	September 21, 2018
DSL query aggregation question Elasticsearch	1	266	August 25, 2020
Top-K Plot with nested aggregations Kibana	1	311	January 2, 2020
DSL: Put Result of Aggregation into HIts Elasticsearch	4	556	September 11, 2017