Using Group By Keys to apply metric aggregation

Craig_Uss · April 30, 2021, 4:28pm

Is it possible to use an aggregation group_by attributes in a metric aggregation to determine if the metric should be counted or not?

Here is an example:
Index of documents: Schema

    @timestamp - UTC Timestamp
    customer_id - A123
    thread_topics - Object array
        id - 12345
        type - could be one of [ 'news' , 'faq' ]
        name - 'ELK News Thread'

Transform - T1 - Record created by date, customer id, thread_topic name (each one found in record)

   Group by = @timestamp(1M), customer_id, thread_topics.name
   Aggregations:
        value_count_news: 
             thread_topics of type 'NEWS'
        value_count_faq:
             thread_topics of type 'FAQ'

Example record - INPUT

    {
    	"@timestamp": "2021-04-30T15:49:52.584Z",
    	"customer_id": "A1234",
    	"thread_topics": [
    		{
    			"id": 12345,
    			"type": "NEWS",
    			"name": "ELK News Thread"
    		},
                {
    			"id": 12347,
    			"type": "NEWS",
    			"name": "KIBANA News Thread"
    		}
    		{
    			"id": 12346,
    			"type": "FAQ",
    			"name": "ELK FAQ Thread"
    		}
    	]
    }

The expected output in transform:

  [
   	{
   		"@timestamp": "2021-04-30T00:00:00.000Z",
   		"customer_id": "A1234",
   		"thread_topics.name": "ELK News Thread",
   		"value_count_news": 1,
   		"value_count_faq": 0
   	},
   	{
   		"@timestamp": "2021-04-30T00:00:00.000Z",
   		"customer_id": "A1234",
   		"thread_topics.name": "KIBANA News Thread",
   		"value_count_news": 1,
   		"value_count_faq": 0
   	},
   	{
   		"@timestamp": "2021-04-30T00:00:00.000Z",
   		"customer_id": "A1234",
   		"thread_topics.name": "ELK FAQ Thread",
   		"value_count_news": 0
   	}
   ]

What we are actually seeing

    [
    	{
    		"@timestamp": "2021-04-30T00:00:00.000Z",
    		"customer_id": "A1234",
    		"thread_topics.name": "ELK News Thread",
    		"value_count_news": 2,
    		"value_count_faq": 0
    	},
    	{
    		"@timestamp": "2021-04-30T00:00:00.000Z",
    		"customer_id": "A1234",
    		"thread_topics.name": "KIBANA News Thread",
    		"value_count_news": 2,
    		"value_count_faq": 0
    	},
    	{
    		"@timestamp": "2021-04-30T00:00:00.000Z",
    		"customer_id": "A1234",
    		"thread_topics.name": "ELK FAQ Thread",
    		"value_count_news": 0
    		"value_count_faq": 1
    	}
    ]

wei.wang · April 30, 2021, 5:04pm

Hi there,

Your question is similar like this one: Transform on fields of a nested object, and the background document is this: Nested aggregation | Elasticsearch Guide [7.12] | Elastic

As Hendrik answered in that topic , we don't have a date when to support it at this moment, unfortunately.

Cheers
Wei

system · May 28, 2021, 5:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch SQL in Kibana Kibana	6	601	September 11, 2019
Grouping and counting with filters using transformations API Elasticsearch	6	1241	February 7, 2020
Transforms - enabling filters as group_by Elasticsearch	5	424	July 23, 2020
Tophits on transform group by a field not all field Kibana transforms	16	1344	January 12, 2021
Transform - can I "group by" splitting values in one row? Kibana	9	1525	June 11, 2020

Using Group By Keys to apply metric aggregation

Related topics