Sliding date range aggs


(Ragnar Rova) #1

Hello.

I have indexed docs describing session activity, with timestamp and session_id fields.

I want to count the active sessions using this definition:

A session is active if for any point in time T, there has been at least one session activity doc within T-75s, but multiple docs with same session_id do not count double.

Then I want this aggregated into date buckets, for example 15 second buckets over an hours worth of data.

So far, the only approach has been something like the below.

Is there something cleaner than this?

"aggs": {
    "15s_ranges": {
        "date_range": {
            "field": "timestamp",
            "ranges": [
            { "to": "now", "from": "now-75s" },
            { "to": "now-15s", "from": "now-90s" },
            { "to": "now-30s", "from": "now-105s" },
            { "to": "now-45s", "from": "now-120s" },
            { "to": "now-60s", "from": "now-135s" },
           ...
            ]
        },
        "aggs": {
            "unique_count_of_session_id": {
                "cardinality": {
                    "field": "session_id"
                }
            }
        }
    }
}

(system) #2