Is it possible to use scripted fields with aggregation of entities (min, max, top, etc)
I need to find count of documents in which the value of one field is the maximum for the selected time filter.
Hi Tatiana,
Unfortunately there isn't a way to do this in Kibana. By the way, scripted fields are only per document, rather than an aggregation.
Here's just an example of something that's possible, but it's not what you want. Just to illustrate:
Explanation: The data is some logstash-like data. Here the parent aggregation is a simple date-histogram. For every time-bucket, we do a sub-aggregation: a terms-aggregation on the geo.dest field. Concretely, this means it aggregates all the documents for each geo.dest value (China, USA, etc), and gives a count for each value. The max bucket aggregation keeps track of that sub-terms aggregation where the count is the highest.
Again, that doesn't solve your issue--you want to go a step further and find the count of documents with a particular max value. If you could do an aggregation to keep track of the max value, then do another request using that max value to filter documents with that, that would get you there. But it would require two requests at least to combine that data, as far as I know.
You can solve this, but it doesn't involve Kibana. You could use one of the language clients for Elasticsearch and write a query that does runs an aggregation to get the max (for some time range), then filter on value = max and count those documents.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.