Hello there.
I have a table visual that I have 2 Top Hits aggs. This is for Metricbeat filesystem used, trying to see when a host breaks a threshold. The Top Hits are for when the host is first seen in the query results for breaking the threshold and for when the last time the the host is seen.
What I am looking to do is keep the first doc data for when the host breaks the threshold, and the last document, but filter out anything that is older than x number of hours.
Here is the request sent by my table visual:
{
"aggs": {
"2": {
"terms": {
"field": "host.name",
"order": {
"_count": "desc"
},
"size": 50
},
"aggs": {
"3": {
"top_hits": {
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
}
],
"_source": "@timestamp",
"size": 1,
"sort": [
{
"@timestamp": {
"order": "asc"
}
}
]
}
},
"4": {
"top_hits": {
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
}
],
"_source": "@timestamp",
"size": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
}
},
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"should": [
{
"range": {
"system.filesystem.used.pct": {
"gte": ".9"
}
}
}
],
"minimum_should_match": 1
}
},
{
"match_phrase": {
"system.filesystem.mount_point": {
"query": "C:\\"
}
}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "2020-07-16T04:13:51.121Z",
"lte": "2020-07-30T04:13:51.121Z"
}
}
}
],
"should": [],
"must_not": []
}
}
}