Return the value of aggs in match query


(bhushan) #1

Hi,
I want to return the value of aggs max in Match query.
for eg.

{
"aggs" : {
"max_id" : { "max" : { "field" : "id" } }
}
}

Value of above needs to be return in
{
"query": {"match": {"id": <max_id>}}
}

Or is there any way where i can create nest query as below
{
"query": {"match": { "id":
{
"aggs" : {
"max_id" : { "max" : { "field" : "id" } }
}
}
}
}
}


(Alexander Reelsen) #2

Hey,

can you explain what you are after? Would it be sufficient to have have a query, which sorts by the id field and has a size of 1? This way there would not be a need to use aggs at all.

--Alex


(bhushan) #3

Hi Alex
I have 5 records with id 10
I have 7 records with id 11
I have 8 records with id 12

now i want to display only records of largest id (i.e id :12 with all 8 records).

thanks,
Bhushan


(Alexander Reelsen) #4

I see. then you have to split this into two requests. first getting the max id, then executing the query.


(bhushan) #5

Hi Alex,
Thanks for the reply.
But my problem is i am using this query in watcher so whatever condition or query i will be using will be in one single block.

"input": {
"search": {
"request": {
"index": [
"logs"
],
"body": {

      "query": {
        "bool": {
          "must": [
            {
              "match": {
                "state": "CRITICAL"
              }
            },
            {
              "match": {
                "instance_id": "max_instance_id"
              }
            }
          ]
        }
      },
      "size": 100,
        "aggs": {
        "max_instance_id": {
          "max": {
            "field": "instance_id"
          }
        }
      }
    }

This is what the code is.Please suggest me where the changes should be done.


(Alexander Reelsen) #6

Hey,

now we're getting somewhere :slight_smile: it always makes sense to post your full problem initially so it is easier to come up with solutions.

Luckily you can solve this with watcher. Just use the chain input to the max value first, then you can use a chain transform to extract the max value and then use a search input with that extracted value - you can use the template syntax and access the transformed field like ctx.payload.second.path (from the example in the docs).

Hope this helps!

--Alex


(bhushan) #7

Hi Alex,
Thanks for the Solution,
do you have any live example of this type so i can get brief idea , what to be done.
or you can even modify the above code,so i can get idea how it will look like.

Thanks,
bhushan


(Alexander Reelsen) #8

the best way would be get started with the chain input from the docs and go from there. If you have problems, please show exactly what they are including the output of the execute watch api, that usually helps a lot to debug.

See https://www.elastic.co/blog/watching-the-watches-writing-debugging-and-testing-watches for some help on debugging watches


(bhushan) #9

Hi Alex ,
I used the Chain input For max operation but it gives me 500 internal error.
Add to a point that the watcher i am using is in sentinl (open source).
Please suggest , below is the code:

"input": {
"Chain": {
"input": [
{
"first": {
"search": {
"request": {
"indices": [
"logs"
],
"body": {
"aggs": {
"max_instance_id": {
"max": {
"field": "instance_id"
}
}
}
}
}
}
}
}
]
}
}

Thanks,
Bhushan


(Alexander Reelsen) #10

please take the time to properly format your code. You can use markdown in here, it will make it a million times easier to read a snippet.

Also, the blog post above included some tricks like the execute watch api, which should be used. This way you can also include the output here to ease debugging and see where the problem actually is, instead of just pasting your input snippet here, again debugging will become much simpler when also seeing the output.


(bhushan) #11

Hi Alex,
I am sorry for above code for format.

Error: save watcher : save watcher : index watcher : mapping set to strict, dynamic introduction of [Input] within [sentinl-watcher] is not allowed: [strict_dynamic_mapping_exception] mapping set to strict, dynamic introduction of [Input] within [sentinl-watcher] is not allowed.

for

"input": { "chain": { "inputs": [ { "first": { "simple": { "path": "/_search" } } }, { "second": { "transform": { "script": "return [ 'path' : 'payload.first.path' + '/' ]" } } }, { "third": { "http": { "request": { "host": "localhost", "port": 9200, "path": "{{payload.second.path}}" } } } } ] } }


(bhushan) #12

Can you please suggest me any other i can get the result?


(Alexander Reelsen) #13

Hey,

I'm confused now, what exactly sentinl watcher is. I suppose this some solution not by elastic (please correct me if I am wrong), so you might be better off, asking in the respective support forums about it.

--Alex


(bhushan) #14

Hi Alex,
Thanks for suggestions you provided till now,
Atlast i have used {{payload.aggregations.max_instance_id.value}} in email body and it does print the perfect value in email.

So is there any way, where i can put if condition in below loop

{{#ctx.payload.hits.hits}}{{_id}}|{{/ctx.payload.hits.hits}}


(Alexander Reelsen) #15

for watcher you have to use a script transform before the action in order to modify your payload.