I'm trying to find the average number of status errors I get a day.
I have 3 days worth of data in my index and I would like to be able to find the average and use it again within the same query. Ultimately I'm trying to figure out if my current day of data has more errors than the average day. It should essentially give me a true or false.
I have this query
POST /index/_search?search_type=count
{
"query": {
"match": {
"sc-status": "500"
}
},
"aggs" : {
"1" : {
"date_histogram" : {
"interval" : "day",
"field" : "date"
}
}
}
}
And this gives me
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 1566,
"max_score": 0,
"hits": []
},
"aggregations": {
"1": {
"buckets": [
{
"key_as_string": "2015-05-31T00:00:00.000Z",
"key": 1433030400000,
"doc_count": 400
},
{
"key_as_string": "2015-06-01T00:00:00.000Z",
"key": 1433116800000,
"doc_count": 594
},
{
"key_as_string": "2015-06-02T00:00:00.000Z",
"key": 1433203200000,
"doc_count": 572
}
]
}
}
}
Which is enough info to calculate the average myself and then use a second query to find the answer. But I would like to be able to do everything in one straight shot because I will not always have this few of days. Can this be done?