Here is my aggregation query:
{
"size": 0,
"aggs": {
"range": {
"date_range": {
"field": "source time",
"ranges": [
{
"from": "2018-01-01",
"to": "now/d"
}
]
},
"aggs": {
"by ip": {
"terms": {
"field": "ip.keyword",
"size": 300
},
"aggs": {
"by date": {
"date_histogram": {
"field": "source time",
"interval": "day"
}
}
}
}
}
}
}
}
and sample response:
"aggregations": {
"range": {
"buckets": [
{
"key": "2018-01-01T00:00:00.000Z-2018-11-11T00:00:00.000Z",
"from_as_string": "2018-01-01T00:00:00.000Z",
"to_as_string": "2018-11-11T00:00:00.000Z",
"doc_count": 13000,
"by ip": {
"buckets": [
{
"key": "192.168.0.1",
"doc_count": 20
"by date": {
"buckets": [
{
"key_as_string": "2018-04-30T00:00:00.000Z",
"doc_count": 10,
.
.
.
I have a separate Logstash configuration file that takes in this aggregated response as input and performs some data manipulations such as renaming of aggregated fields before parsing it back into Elasticsearch as a new index.
Here's part of my filter plugin where I use Ruby filter to rename the "key_as_string" date field.
filter {
split {
field => "[aggregations][range][buckets]"
}
split {
field => "[aggregations][range][buckets][by ip][buckets]"
}
split {
field => "[aggregations][range][buckets][by ip][buckets][by date][buckets]"
}
ruby {
code => "event.set('Source Time', event.get('[aggregations][range][buckets][by ip][buckets][by date][buckets][key_as_string]'))"
}
}
However I am getting this Ruby exception error "No implicit conversion of Fixnum into String". Please advise.