Sorting based on scripted metrics aggregation

Elastic Stack Elasticsearch
1

Hello!

I faced a limitation on sorting buckets of a term aggrigation, based on a scripted metrics sub aggregation values.

This issue clearly states that it is not possible to do this in elasticsearch.

However, i managed to do this using Bucket Sort aggregation.
Results make sense as far i can tell.
I want to know am i missing something? is my approach correct?
Query:

{
  "aggs": {
    "by-method-name": {
      "terms": {
        "field": "event_name.keyword"
      },
      "aggs": {
        "percentages_calc": {
          "scripted_metric": {
            "init_script": "state.errors = 0; state.t = 0;",
            "map_script": "if (doc['event_outcome.keyword'].value == 'ERROR') { state.errors += 1;state.t += 1} state.t += 1",
            "combine_script": "return state",
            "reduce_script": "double failureT = 0;double total = 0; for (s in states) {failureT += s.errors; total += s.t} return (failureT/total) * 100;"
          }
        },
        "sort_by_percentage": {
          "bucket_sort": {
            "sort": [
              {
                "percentages_calc.value": {
                  "order": "desc"
                }
              }
            ]
          }
        }
      }
    }
  },
  "size": 0
}
2

One more note is that i am hardcoding a large enough size & shard_size parameters for terms aggregation to ensure zero doc_count_error_upper_bound. So the query is actually:

{
  "aggs": {
    "by-method-name": {
      "terms": {
        "field": "event_name.keyword",
        "size": 5000000,
        "shard_size":5000000
      },
      "aggs": {
        "percentages_calc": {
          "scripted_metric": {
            "init_script": "state.errors = 0; state.t = 0;",
            "map_script": "if (doc['event_outcome.keyword'].value == 'ERROR') { state.errors += 1;state.t += 1} state.t += 1",
            "combine_script": "return state",
            "reduce_script": "double failureT = 0;double total = 0; for (s in states) {failureT += s.errors; total += s.t} return (failureT/total) * 100;"
          }
        },
        "sort_by_percentage": {
          "bucket_sort": {
            "sort": [
              {
                "percentages_calc.value": {
                  "order": "desc"
                }
              }
            ]
          }
        }
      }
    }
  },
  "size": 0
}
3

Anybody can comment here ? :slight_smile:
Thanks!!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.