My data structure is as follows
username,department,salary
bob,finance,2000
joe,HR,2200
chan,finance,3000
bobby,finance,2500
don,HR,1800
I was looking for a Splunk's equivalent command of
... | stats values(salary) by department
So basically the output to be values of the salary aggregated by department
finance,"2000,3000,2500"
hr,"2200,1800"
How to do above aggregation in Watcher/DSL?
It looks like to me a terms agg with a top_hits sub aggregation.
thanks for the hint. Let me try and see how it goes
Edit: Above worked. Thanks David
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.