Tsvb - Sort by bucket script's value?

Skeeve · January 7, 2020, 2:28pm

My data contains informat about several companies sending mail. Each document contains

company name (tenant_name)
sending domain
total amount of mails sent (total_volume)
amount of mails considered spam (spam_complaints)

PUT /myindex
POST _bulk
{ "index": { "_index": "myindex" }}
{ "date": "2020-01-08", "tenant_name": "company_a", "domain": "domain_1", "total_volume": 33, "spam_complaints": 10 }
{ "index": { "_index": "myindex" }}
{ "date": "2020-01-08", "tenant_name": "company_a", "domain": "domain_2", "total_volume": 33, "spam_complaints": 5 }
{ "index": { "_index": "myindex" }}
{ "date": "2020-01-08", "tenant_name": "company_a", "domain": "domain_3", "total_volume": 34, "spam_complaints": 1 }
{ "index": { "_index": "myindex" }}
{ "date": "2020-01-08", "tenant_name": "company_b", "domain": "domain_2", "total_volume": 333, "spam_complaints": 1 }
{ "index": { "_index": "myindex" }}
{ "date": "2020-01-08", "tenant_name": "company_b", "domain": "domain_3", "total_volume": 333, "spam_complaints": 1 }
{ "index": { "_index": "myindex" }}
{ "date": "2020-01-08", "tenant_name": "company_b", "domain": "domain_4", "total_volume": 334, "spam_complaints": 1 }
{ "index": { "_index": "myindex" }}
{ "date": "2020-01-08", "tenant_name": "company_c", "domain": "domain_3", "total_volume": 3, "spam_complaints": 1 }
{ "index": { "_index": "myindex" }}
{ "date": "2020-01-08", "tenant_name": "company_c", "domain": "domain_4", "total_volume": 3, "spam_complaints": 1 }
{ "index": { "_index": "myindex" }}
{ "date": "2020-01-08", "tenant_name": "company_c", "domain": "domain_1", "total_volume": 4, "spam_complaints": 2 }

What I like to get is the percentage of spam per company over the time. I already solved that using tsvb.

But when it comes to grouping (by term "tenant_name") I can only order by total_volume or spam_complaints. Both is not sufficient as I would need to order by the percentage of spam_complaints (so by spam_complaints/total_volume).

Looking at the data you can see that each metric (total_volume, spam_complaints, percentage) would give a different order:

I currently see no way how to achieve the ordering by percentage, in this case so that company_c would be top.

tsullivan · January 9, 2020, 8:19pm

Elasticsearch is not able to sort buckets of pipeline aggregations, which is why TSVB doesn't give you that option.

Related: https://github.com/elastic/kibana/issues/12178

Skeeve · January 10, 2020, 6:37am

Thanks Tim.
Is there another way I could achieve the result I like? Meaning: Get an overview of every company's spam-quota per day where I only see the top n with the highest quota?

system · February 7, 2020, 6:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Percentages per day (per bucket) possible? Kibana	6	700	December 17, 2019
TSVB Table Sorted by timestamp Kibana	7	1802	May 13, 2021
How can buckets be sorted by doc_count ratio? Elasticsearch	2	848	November 12, 2020
Filter latest document in each bucket Elasticsearch kql-kibana-query-language	1	465	July 1, 2020
Examples/help please - how to query arrays of data in TSVB tables? Kibana	4	617	October 7, 2020

Tsvb - Sort by bucket script's value?

Related topics