Significant terms and logstash

Klavs_Klavsen · May 15, 2014, 6:36am

Hi guys,

I am looking into using the significant terms aggregation with our logstash
data, but my reading of it has given me one issue which I hope you have
ideas for solving.

As I understand it - ES 1.1.1 only supports using 1 index (entire index) as
the "background data" to identify what stands out in the search'ed set.
Problem with logstash - is that it per default creates a new index every
day (which I like for a lot of other purposes), but if a significant terms
aggregation on logs should make sense - it would be more relevant to be
able to use a month or so, as the "background data".

Anyone know if I can somehow pursuade it, into using more than just 1 index
as "background data" ? Or would I have to have a copy of 1 months data or
so - put into a "background index" - to do this?

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/af955818-9a40-44c1-90fb-e074cc1983bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

loren · May 23, 2014, 11:52pm

I just tried this out with 1.2.0 and got the same result. Even if I specify
logstash-*, it only seems to take today's index into account. However, the
documentationhttp://www.elasticsearch.org/guide/en/elasticsearch/reference/current/search-aggregations-bucket-significantterms-aggregation.html#_single_set_analysisstates that "the background set used for statistical comparisons is the
index or indices from which the results were gathered".

So it seems like it ought to work as you and I are hoping, but perhaps
someone else has more info.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/22c7c4b6-0665-4286-8a0c-0c9decf67795%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Topic		Replies	Views
Elasticsearch @timestamp affects the background document count(bg_count) of significant_terms aggregation Elasticsearch	1	606	July 6, 2017
Detail questions about significant_terms aggregation Elasticsearch	1	322	July 6, 2017
Aggregation across multiple indexes/indices - significant terms Elasticsearch	5	621	March 17, 2022
Significant Term aggregation Elasticsearch	9	624	July 6, 2017
Management of indexes Elasticsearch	2	281	July 6, 2017

Significant terms and logstash

Related topics