Unique values of a term in an aggreation

stefws · October 16, 2018, 9:25am

I've been away for too long from ES query construction

I'm trying to do a simple query that returns buckets in an aggregation of a string term, for each bucket I would like the unique value of another aggregatable string term but wondering how to obtain this...

sample query:

{
  "query": {
     "term": { "event": "some-value" }
  },
  "size": 0,
  "aggs": {
    "user": {
      "terms": { "field": "user" }
    }
  }
}

which returns buckets of users like:

{
  "took": 789,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 369,
    "max_score": 0,
    "hits": []
  },
  "aggregations": {
    "user": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 1,
      "buckets": [
        {
          "key": "user1",
          "doc_count": 285
        },
        {
          "key": "user2",
          "doc_count": 29
        },
        {
          "key": "user3",
          "doc_count": 15
        },
        {
          "key": "user4",
          "doc_count": 10
        },
        {
          "key": "user5",
          "doc_count": 8
        }
      ]
    }
  }
}

Any hints appreciated, TIA!

spinscale · October 17, 2018, 7:33am

Hey,

I am not sure I got your requirement fully. What do you mean with unique value of another aggregatable string term - a sub aggregation or something else?

--Alex

stefws · October 18, 2018, 7:50am

Well I've got multiple docs with same user + another-aggregateable-string-term combo just @ different @timestamp, so I would like to get the list of unique user+another-aggregateable-string-term combos. My initial aggs gets me the unique buckets of users, then I'll like for each user-bucket the seen unique another-aggregateable-string-term.

Was that any clearer...

system · November 15, 2018, 7:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.