Using "now" in bucket_selector script

Hey there,

I want to get the entities that showed up in the last 24h and suppressing all those that had appeared earlier. The query looks like: > {

 {
    "aggs": {
      "entity" : {
        "terms" : {
          "field" : "name"
         },
         "aggs" : {
           "first_seen" : {
             "min" : {
               "field" : "@timestamp"
             }
           },
           "time_filter" : {
             "bucket_selector" : {
               "buckets_path" : "first_seen",
               "script" : "params.first_seen > now -1d"
          }
        }
      }
    }
  }
}

But,I dont know how to include the current date in the script. I tried to pass it as an additional parameters to the script, however, without success.

Thanks in advance!

I think a better approach is to use a filter aggregation in between the "entity" and "first_seen" agg. Just filter the timestamp with a range query, and it will naturally only show "first_seen" buckets that have a value > the filter.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.