For this example, I am using documents which look like this, where node is the node name, and failed is the cumulative rejected requests:
{
"node": "node2",
"failed": 6,
"@timestamp": 1527267655
}
Take a look at this query:
{
"size": 0,
"aggs": {
"nodes": {
"terms": {
"field": "node.keyword"
},
"aggs": {
"min_failures": {
"min": {
"field": "failed"
}
},
"max_failures": {
"max": {
"field": "failed"
}
},
"failure_diff": {
"bucket_script": {
"buckets_path": {
"min_failures": "min_failures",
"max_failures": "max_failures"
},
"script": "params.max_failures - params.min_failures"
}
},
"failure_diff_sort": {
"bucket_sort": {
"sort": [
{
"failure_diff": {
"order": "desc"
}
}
],
"size": 5
}
}
}
}
}
}
Which produces this result:
{
"took": 5,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 4,
"max_score": 0,
"hits": []
},
"aggregations": {
"nodes": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "node1",
"doc_count": 2,
"max_failures": {
"value": 10
},
"min_failures": {
"value": 1
},
"failure_diff": {
"value": 9
}
},
{
"key": "node2",
"doc_count": 2,
"max_failures": {
"value": 6
},
"min_failures": {
"value": 5
},
"failure_diff": {
"value": 1
}
}
]
}
}
}
This query uses aggregations to:
- Bucket by
node - Find min/max
failedof each node bucket - Find difference between min/max using Bucket Script Aggregations
- Sorts by the difference descending (largest discrepancy first), limit to top 5 using Bucket Sort Aggregation
The key here is being able to use Bucket Script Aggregations, which is not yet supported in Kibana visualizations. There is an open issue here: https://github.com/elastic/kibana/issues/4707. But, I hope this query helps.