Return the value of aggs in match query

bhushan · April 11, 2019, 9:06am

Hi,
I want to return the value of aggs max in Match query.
for eg.

{
"aggs" : {
"max_id" : { "max" : { "field" : "id" } }
}
}

Value of above needs to be return in
{
"query": {"match": {"id": <max_id>}}
}

Or is there any way where i can create nest query as below
{
"query": {"match": { "id":
{
"aggs" : {
"max_id" : { "max" : { "field" : "id" } }
}
}
}
}
}

spinscale · April 11, 2019, 2:12pm

Hey,

can you explain what you are after? Would it be sufficient to have have a query, which sorts by the id field and has a size of 1? This way there would not be a need to use aggs at all.

--Alex

bhushan · April 11, 2019, 2:31pm

Hi Alex
I have 5 records with id 10
I have 7 records with id 11
I have 8 records with id 12

now i want to display only records of largest id (i.e id :12 with all 8 records).

thanks,
Bhushan

spinscale · April 11, 2019, 2:33pm

I see. then you have to split this into two requests. first getting the max id, then executing the query.

bhushan · April 11, 2019, 2:40pm

Hi Alex,
Thanks for the reply.
But my problem is i am using this query in watcher so whatever condition or query i will be using will be in one single block.

"input": {
"search": {
"request": {
"index": [
"logs"
],
"body": {

      "query": {
        "bool": {
          "must": [
            {
              "match": {
                "state": "CRITICAL"
              }
            },
            {
              "match": {
                "instance_id": "max_instance_id"
              }
            }
          ]
        }
      },
      "size": 100,
        "aggs": {
        "max_instance_id": {
          "max": {
            "field": "instance_id"
          }
        }
      }
    }

This is what the code is.Please suggest me where the changes should be done.

spinscale · April 11, 2019, 2:45pm

Hey,

now we're getting somewhere it always makes sense to post your full problem initially so it is easier to come up with solutions.

Luckily you can solve this with watcher. Just use the chain input to the max value first, then you can use a chain transform to extract the max value and then use a search input with that extracted value - you can use the template syntax and access the transformed field like ctx.payload.second.path (from the example in the docs).

Hope this helps!

--Alex

bhushan · April 11, 2019, 2:54pm

Hi Alex,
Thanks for the Solution,
do you have any live example of this type so i can get brief idea , what to be done.
or you can even modify the above code,so i can get idea how it will look like.

Thanks,
bhushan

spinscale · April 11, 2019, 3:13pm

the best way would be get started with the chain input from the docs and go from there. If you have problems, please show exactly what they are including the output of the execute watch api, that usually helps a lot to debug.

See https://www.elastic.co/blog/watching-the-watches-writing-debugging-and-testing-watches for some help on debugging watches

bhushan · April 12, 2019, 1:55pm

Hi Alex ,
I used the Chain input For max operation but it gives me 500 internal error.
Add to a point that the watcher i am using is in sentinl (open source).
Please suggest , below is the code:

"input": {
"Chain": {
"input": [
{
"first": {
"search": {
"request": {
"indices": [
"logs"
],
"body": {
"aggs": {
"max_instance_id": {
"max": {
"field": "instance_id"
}
}
}
}
}
}
}
}
]
}
}

Thanks,
Bhushan

spinscale · April 12, 2019, 5:28pm

please take the time to properly format your code. You can use markdown in here, it will make it a million times easier to read a snippet.

Also, the blog post above included some tricks like the execute watch api, which should be used. This way you can also include the output here to ease debugging and see where the problem actually is, instead of just pasting your input snippet here, again debugging will become much simpler when also seeing the output.

bhushan · April 15, 2019, 1:22pm

Hi Alex,
I am sorry for above code for format.

Error: save watcher : save watcher : index watcher : mapping set to strict, dynamic introduction of [Input] within [sentinl-watcher] is not allowed: [strict_dynamic_mapping_exception] mapping set to strict, dynamic introduction of [Input] within [sentinl-watcher] is not allowed.

for

"input": { "chain": { "inputs": [ { "first": { "simple": { "path": "/_search" } } }, { "second": { "transform": { "script": "return [ 'path' : 'payload.first.path' + '/' ]" } } }, { "third": { "http": { "request": { "host": "localhost", "port": 9200, "path": "{{payload.second.path}}" } } } } ] } }

bhushan · April 15, 2019, 1:28pm

Can you please suggest me any other i can get the result?

spinscale · April 15, 2019, 7:10pm

Hey,

I'm confused now, what exactly sentinl watcher is. I suppose this some solution not by elastic (please correct me if I am wrong), so you might be better off, asking in the respective support forums about it.

--Alex

bhushan · April 16, 2019, 9:09am

Hi Alex,
Thanks for suggestions you provided till now,
Atlast i have used {{payload.aggregations.max_instance_id.value}} in email body and it does print the perfect value in email.

So is there any way, where i can put if condition in below loop

{{#ctx.payload.hits.hits}}{{_id}}|{{/ctx.payload.hits.hits}}

spinscale · April 16, 2019, 4:24pm

for watcher you have to use a script transform before the action in order to modify your payload.

system · May 14, 2019, 4:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Return document for aggregation result Elasticsearch	10	3391	June 9, 2017
Writing nested aggregation query in NEST Elasticsearch	2	577	June 5, 2019
Return all documents that have the highest value in a field Elasticsearch	1	1290	March 22, 2018
Need @timestamp value where the maximum aggregation result occurred Elasticsearch	2	642	November 5, 2020
Help with sum and max query Elasticsearch	7	3934	November 8, 2017

Return the value of aggs in match query

Related topics