{
"aggs":{
"nest_exams":{
"nested":{
"path": "exams"
},
"aggs":{
"exams":{
"filter" : {
"term": {
"exams.exam_id": 96690
}
},
"aggs":{
"nested_attempts":{
"nested":{
"path": "exams.attempts"
},
"aggs":{
"user_attempts":{
"terms":{
"field": "exams.attempts.user_id",
"size": 0
},
"aggs":{
"max_score":{
"max":{
"field": "exams.attempts.order_score"
}
}
}
}
}
}
}
}
}
}
}
Hello, I have this aggregation query. The problem is that even I can found the max_score per user, I can't sub aggregate to the max aggregator to find the date of this best score.
An attempt have user_id,order_score,date_start
An alternative is to not run the max metric sub-aggregation, but a top_hits instead sorted by descending max_score so you can retrieve the date_start of that document:
{
"aggs": {
"nest_exams": {
"nested": {
"path": "exams"
},
"aggs": {
"exams": {
"filter": {
"term": {
"exams.exam_id": 96690
}
},
"aggs": {
"nested_attempts": {
"nested": {
"path": "exams.attempts"
},
"aggs": {
"user_attempts": {
"terms": {
"field": "exams.attempts.user_id",
"size": 0
},
"aggs": {
"max_score": {
"top_hits": {
"sort": {
"exams.attempts.order_score": "desc"
},
"size": 1,
"_source": [
"date_start"
]
}
}
}
}
}
}
}
}
}
}
}
}
Related
I'm can't figure out how sorting the buckets results. I'm using ES 6.3 and following suggested docs. I'm trying to sort the results putting "bucket_sort" aggregation, but getting error. The follow query works but returns the buckets in same order no matter I put "sort" clause with 'asc' or 'desc' after "query" body:
{
"query": {
"bool":{
"filter":{
"wildcard": {
"datas.295.keyword": {
"value":"*w*"
}
}
}
}
},
"sort":[
{
"datas.295.keyword": {
"order" : "desc"
}
}
],
"aggs": {
"AGGREGATE_UNIQUE_VALUES_FROM_REPEATED": {
"terms": {
"field": "datas.295.keyword"
}
}
}}
returning records matchs with operating system windows XP, Windows Vista etc. But How to sort it in ascending order? I'm try this:
{
"query": {
"bool":{
"filter":{
"wildcard": {
"datas.295.keyword": {
"value":"*w*"
}
}
}
}
},
"aggs": {
"AGGREGATE_UNIQUE_VALUES_FROM_REPEATED": {
"terms": {
"field": "datas.295.keyword"
},
"aggs": {
"bucket_sort":{
"sort": [
{
"datas.295.keyword": {"order": "asc"}
}
]
}
}
}
}}
This query raising 'Expected [START_OBJECT] under [sort], but got a [START_ARRAY] in [bucket_sort]' error
Thank for read!
The hits and aggs are separate parts of the API. What you need is the terms' bucket order:
{
"query": {
"bool": {
"filter": {
"wildcard": {
"datas.295.keyword": {
"value": "*w*"
}
}
}
}
},
"sort": [
{
"datas.295.keyword": {
"order": "desc"
}
}
],
"aggs": {
"AGGREGATE_UNIQUE_VALUES_FROM_REPEATED": {
"terms": {
"field": "datas.295.keyword",
"order": {
"_key": "desc"
}
}
}
}
}
I am trying to add a prefix condition for my ES query in a "must" clause.
My current query looks something like this:
body = {
"query": {
"bool": {
"must":
{ "term": { "article_lang": 0 }}
,
"filter": {
"range": {
"created_time": {
"gte": "now-3h"
}
}
}
}
},
"aggs": {
"articles": {
"terms": {
"field": "article_id.keyword",
"order": {
"score": "desc"
},
"size": 1000
},
"aggs": {
"score": {
"sum": {
"field": "score"
}
}
}
}
}
}
I need to add a mandatory condition to my query to filter articles whose id starts with "article-".
So, far I have tried this:
{
"query": {
"bool": {
"should": [
{ "term": { "article_lang": 0 }},
{ "prefix": { "article_id": {"value": "article-"} }}
],
"filter": {
"range": {
"created_time": {
"gte": "now-3h"
}
}
}
}
},
"aggs": {
"articles": {
"terms": {
"field": "article_id.keyword",
"order": {
"score": "desc"
},
"size": 1000
},
"aggs": {
"score": {
"sum": {
"field": "score"
}
}
}
}
}
}
I am fairly new to ES and from the documentations online, I know that "should" is to be used for "OR" conditions and "must" for "AND". This is returning me some data but as per the condition it will be consisting of either article_lang=0 or articles starting with article-. When I use "must", it doesn't return anything.
I am certain that there are articles with id starting with this prefix because currently, we are iterating through this result to filter out such articles. What am I missing here?
In your prefix query, you need to use the article_id.keyword field, not article_id. Also, you should prefer filter over must since you're simply doing yes/no matching (aka filters)
{
"query": {
"bool": {
"filter": [ <-- change this
{
"term": {
"article_lang": 0
}
},
{
"prefix": {
"article_id.keyword": { <-- and this
"value": "article-"
}
}
}
],
"filter": {
"range": {
"created_time": {
"gte": "now-3h"
}
}
}
}
},
"aggs": {
"articles": {
"terms": {
"field": "article_id.keyword",
"order": {
"score": "desc"
},
"size": 1000
},
"aggs": {
"score": {
"sum": {
"field": "score"
}
}
}
}
}
}
Here is my query result
GET _search
{
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"serviceName.keyword": "directory-view-service"
}
},
{
"match": {
"path": "thewall"
}
},
{
"range": {
"#timestamp": {
"from": "now-31d",
"to": "now"
}
}
}
]
}
},
"aggs": {
"by_day": {
"date_histogram": {
"field": "date",
"interval": "7d"
},
"aggs": {
"byUserUid": {
"terms": {
"field": "token_userId.keyword",
"size": 150000
},
"aggs": {
"filterByCallNumber": {
"bucket_selector": {
"buckets_path": {
"doc_count": "_count"
},
"script": {
"inline": "params.doc_count <= 1"
}
}
}
}
}
}
}
}
}
I want my query return all user call my endpoint min. once time by 1 month range by 7 days interval, until then everything is good.
But my result is a buckets with 370 elements and I just need to know the array size...
Are there any keyword or how can I handle it ?
Thanks
I have docs with this structure:
{
FIELD1:string,
FIELD2:
[ {SUBFIELD:number}, {SUBFIELD:number}...]
}
I want to sort on the result of the sum of numbers in FIELD2.SUBFIELDs:
GET myindex/_search
{
"size":0,
"aggs": {
"a1": {
"terms": {
"field": "FIELD1",
"size":0
},
"aggs":{
"a2":{
"sum":{
"field":"FIELD2.SUBFIELD"
}
}
}
}
}
}
If I do this I obtain buckets not sorted, but I want buckets sorted by "a2" value.
How I can do this?
Thank you!
You almost had it. You just need to add an order property to your a1 terms aggregations, like this:
GET myindex/_search
{
"size":0,
"aggs": {
"a1": {
"terms": {
"field": "FIELD1",
"size":0,
"order": {"a2": "desc"} <--- add this
},
"aggs":{
"a2":{
"sum":{
"field":"FIELD2.SUBFIELD"
}
}
}
}
}
}
Brilliant from Val https://stackoverflow.com/users/4604579/val
Basically the same thing, but here's what worked for me to find the largest "size" for each "name", and to show the top 25 largest:
{
"size": 0,
"aggs": {
"agg1": {
"terms": {
"field": "name.keyword",
"order": {
"agg2": "desc"
},
"size": 25
},
"aggs": {
"agg2": {
"max": {
"field": "size"
}
}
}
}
}
}
This is a portion of the data I have indexed in elasticsearch:
{
"country" : "India",
"colour" : "white",
"brand" : "sony"
"numberOfItems" : 3
}
I want to get the total sum of numberOfItems on a per country basis, per colour basis and per brand basis. Is there any way to do this in elasticsearch?
The following should land you straight to the answer.
Make sure you enable scripting before using it.
{
"aggs": {
"keys": {
"terms": {
"script": "doc['country'].value + doc['color'].value + doc['brand'].value"
},
"aggs": {
"keySum": {
"sum": {
"field": "numberOfItems"
}
}
}
}
}
}
To get a single result you may use sum aggregation applied to a filtered query with term (terms) filter, e.g.:
{
"query": {
"filtered": {
"filter": {
"term": {
"country": "India"
}
}
}
},
"aggs": {
"total_sum": {
"sum": {
"field": "numberOfItems"
}
}
}
}
To get statistics for all countries/colours/brands in a single pass over the data you may use the following query with 3 multi-bucket aggregations, each of them containing a single-bucket sum sub-aggregation:
{
"query": {
"match_all": {}
},
"aggs": {
"countries": {
"terms": {
"field": "country"
},
"aggs": {
"country_sum": {
"sum": {
"field": "numberOfItems"
}
}
}
},
"colours": {
"terms": {
"field": "colour"
},
"aggs": {
"colour_sum": {
"sum": {
"field": "numberOfItems"
}
}
}
},
"brands": {
"terms": {
"field": "brand"
},
"aggs": {
"brand_sum": {
"sum": {
"field": "numberOfItems"
}
}
}
}
}
}