Script for Aggs

schneider · July 1, 2019, 3:55pm

The search is working fine, but i want to retrive only the "remetente" with ("doc_count">=50),
This is exemple for the search:

GET /imsva_message/_search 
{ 
"size": 0,
"aggs" : { 
    "aggdata" : { 
        "filter": { 
          "range": {
            "data1": {
              "from": "now-15m",
              "to": "now"
            }
          }
        },
        "aggs" : { 
          "aggremetente" : { 
            "terms" : { 
              "field" : "remetente.keyword" 
            } 
          } 
        } 
    } 
 } 
}

and this is a response:

{
"took" : 101,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 2806032,
"max_score" : 0.0,
"hits" : [ ]
},
"aggregations" : {
"aggdata" : {
  "doc_count" : 1450,
  "aggremetente" : {
    "doc_count_error_upper_bound" : 8,
    "sum_other_doc_count" : 558,
    "buckets" : [
      {
        "key" : "xxx@xxx",
        "doc_count" : 467
      },
      {
        "key" : "xxx.com.br",
        "doc_count" : 103
      },
      {
        "key" : "xxx@yyy",
        "doc_count" : 73
      },
      {
        "key" : "yyy@xxx",
        "doc_count" : 61
      },
      {
        "key" : "xyx@xxx",
        "doc_count" : 56
      },
      {
        "key" : "xyx@yyy",
        "doc_count" : 55
      },
      {
        "key" : "xxx@xyx",
        "doc_count" : 20
      },
      {
        "key" : "yyy@xyx",
        "doc_count" : 19
      },
      {
        "key" : "yyy.yyy.com.br",
        "doc_count" : 17
      },
      {
        "key" : "yyy@yyy",
        "doc_count" : 15
      }
    ]
  }
}
}
}

and the response a want is the the "keys" with "doc_count" : >=50, what would it be:

{
        "key" : "xxx@xxx",
        "doc_count" : 467
      },
      {
        "key" : "xxx.com.br",
        "doc_count" : 103
      },
      {
        "key" : "xxx@yyy",
        "doc_count" : 73
      },
      {
        "key" : "yyy@xxx",
        "doc_count" : 61
      },
      {
        "key" : "xyx@xxx",
        "doc_count" : 56
      },
      {
        "key" : "xyx@yyy",
        "doc_count" : 55
      }
}

spinscale · July 2, 2019, 11:20am

See the min_doc_count option in the terms agg.

--Alex

schneider · July 2, 2019, 5:51pm

Thank you Alex, is working fine.

system · July 30, 2019, 5:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.