Is it possible to use an aggregation group_by attributes in a metric aggregation to determine if the metric should be counted or not?
Here is an example:
Index of documents: Schema
@timestamp - UTC Timestamp
customer_id - A123
thread_topics - Object array
id - 12345
type - could be one of [ 'news' , 'faq' ]
name - 'ELK News Thread'
Transform - T1 - Record created by date, customer id, thread_topic name (each one found in record)
Group by = @timestamp(1M), customer_id, thread_topics.name
Aggregations:
value_count_news:
thread_topics of type 'NEWS'
value_count_faq:
thread_topics of type 'FAQ'
Example record - INPUT
{
"@timestamp": "2021-04-30T15:49:52.584Z",
"customer_id": "A1234",
"thread_topics": [
{
"id": 12345,
"type": "NEWS",
"name": "ELK News Thread"
},
{
"id": 12347,
"type": "NEWS",
"name": "KIBANA News Thread"
}
{
"id": 12346,
"type": "FAQ",
"name": "ELK FAQ Thread"
}
]
}
The expected output in transform:
[
{
"@timestamp": "2021-04-30T00:00:00.000Z",
"customer_id": "A1234",
"thread_topics.name": "ELK News Thread",
"value_count_news": 1,
"value_count_faq": 0
},
{
"@timestamp": "2021-04-30T00:00:00.000Z",
"customer_id": "A1234",
"thread_topics.name": "KIBANA News Thread",
"value_count_news": 1,
"value_count_faq": 0
},
{
"@timestamp": "2021-04-30T00:00:00.000Z",
"customer_id": "A1234",
"thread_topics.name": "ELK FAQ Thread",
"value_count_news": 0
}
]
What we are actually seeing
[
{
"@timestamp": "2021-04-30T00:00:00.000Z",
"customer_id": "A1234",
"thread_topics.name": "ELK News Thread",
"value_count_news": 2,
"value_count_faq": 0
},
{
"@timestamp": "2021-04-30T00:00:00.000Z",
"customer_id": "A1234",
"thread_topics.name": "KIBANA News Thread",
"value_count_news": 2,
"value_count_faq": 0
},
{
"@timestamp": "2021-04-30T00:00:00.000Z",
"customer_id": "A1234",
"thread_topics.name": "ELK FAQ Thread",
"value_count_news": 0
"value_count_faq": 1
}
]