Rollup Job when one of the Terms field is array of objects

Elastic Stack Kibana
1

I am trying to create a RollUp job from Kibana. In the Terms field where I have given multiple fields, in which one of the fields is of an array type (actually array of objects). How can I define which item/object of the array should be part of the RollUp job?
In the example below, e.g. details.time.observation - can I address somehow either first or last object in the array or the latest one (i.e. max value of a object's time.observation field in the array)?

{
  "_index": "...",
  ...
  "_source": {
    "method": "GET",
    "logged": "2023-03-24T08:34:02+0000",
    "@timestamp": "2023-03-24T08:34:02.000Z",
    "client": "ABC",
    "request": {
      "name": "get_data",
      "ip": "10.10.10.10"
    },
    "details": [
      {
        "source": {
          "name": "get_data"
        },
        "time": {
          "observation": "2021-12-13T14:57:49+0000"
        },
        "seen": {
          "first": "2021-12-14T01:31:59+0000",
          "last": "2023-03-23T10:36:37+0000"
        },
        "status": {
          "code": "200"
        }
      },
      {
        "source": {
          "name": "get_data"
        },
        "time": {
          "observation": "2021-15-12T14:25:29+0000"
        },
        "seen": {
          "first": "2021-13-18T01:31:59+0000",
          "last": "2023-03-23T10:36:37+0000"
        },
        "status": {
          "code": "404"
        }
      }
    ],
    "log": {
      "file": {}
    },
    "client_ip": "192.168.0.37"
  }
}

Group by on: client, request.name, details.time.observation [either first/last in the array or one with a max value]

2

@alisongoryachev can we please get some help?

Thanks,
Bhavya

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.