I want to get the counts for two items in a column from my indexer in elastic search. There is a column called "category" in my indexer and it contains multiple entries. In which I am interested to get 'billing' and 'expenditure' for multiple dates. For which, I have written the below query and it is not working for two values. I can pull a single value either "billing" or "expenditure" but not two at once.
{"dates":
{"date_histogram":
{"field": "createdDateTime",
"interval": "day"},
"aggs": {"fields":
{"term":
{"field": "type",
"include": ["billing", "expenditure"]
}}}}}
The above code is not working in this case, to make it work I need to change the "include" line to
"include": "billing"
or
"include": "expenditure"
It would be great help, if someone look into this and help.:)
Below answers are working for my post above, now I have come across one more problem with the above post that:
In my 'type' field, I want to filter one more value called "spent on". Here the problem is -- ES considers this two worded word as two terms and the result is not as expected. Please help in this. Just want to filter this two worded word as a single word instead of two.
From ES docs( https://www.elastic.co/guide/en/elasticsearch/reference/1.5/search-aggregations-bucket-terms-aggregation.html?q=terms%20agg#_filtering_values):
It is possible to filter the values for which buckets will be created.
This can be done using the include and exclude parameters which are
based on regular expression strings or arrays of exact values [1.5.0]
Added in 1.5.0. support for arrays of values.
So its possible to use array since 1.5 version
"aggs": {
"aggterm": {
"terms": {
"field": "type",
"include" : ["billing", "expenditure"]
}
}
}
The include expects a regex pattern. As #jgr pointed out this is true only for versions of elasticsearch < 1.5.0. So for the example provided in query
would look something as below for versions < 1.5.0 :
"aggs": {
"aggterm": {
"terms": {
"field": "type",
"include" : "billing|expenditure"
}
}
}
If not the example you have in the OP should work
Related
I want to count how many times, unique values (result of terms aggragation) have appeared in other fields in the same query. Let's say:
{
"size": 0,
"query": {
"match_all": {}
},
"aggs": {
"unique_products": {
"terms": {
"field": "products.name.keyword",
"min_doc_count": 10
}
}
}
}
What I want is to count, how many time each of the keys returned in the bucket, appeared in another field.
My ideal output is:
"aggregations": {
"product_stat": {
"key": "<product_name>"
"sold": "<#>" #I want to know how many times the key is appeared in another field like sold
"bought": "<#>"
}
}
Elasticsearch cannot do terms aggregations over multiple fields. In short, if they would, aggregations would not be blazing fast.
As documentation suggests, there are two options:
use script terms aggregation (with performance penalty),
change how the documents are indexed so a normal terms aggregation can be used.
Depending on the structure of your data and your use-cases, you might get by with a complex aggregation + some processing on the client side. This can be done with sub aggregations like here, for example.
Hope that helps!
As per the elasticsearch 5.1 documentation, I have built the following query to implement a basic search functionality on a subset of the piece of software I am building. For some reason, this query never returns any results even if all of the fields are present. All users are guaranteed to have all of these fields, but to be safe I tested it with each individual field and got the same result each time.
"query": {
"multi_match": {
"fields": [
"displayName",
"title",
"team",
"teamLeader"
],
"query": "a",
"fuzziness": "AUTO"
}
}
}
I have also attempted using other types like best_fields, phrase_prefix, etc. to no avail. I know the data is there because my filter query works just fine, but suddenly no data returns after I add this section. Is there anything I can do to better debug this situation?
In elastic search query when I try to aggregate, I have value like 1234-3245-34234-2342 it just returns with key: 1234
Is there any possibility in mentionings the property type or regular expression in it
Some more explanation :
"aggregations": { "myagg": { "terms": { "field": "did", "size": 50 } } }
When I try it on the data the values are like ABC-CDEF-DEFG and after running the script it is not able aggregate it. It shows the key only to be ABC and
"key" : "ABC", "doc_count" : 24069
It can't take the entire key like ABC-DEF-GHI-fhho
Check your mapping, I expect you did not do anything for the mapping. That is when you can the standard analyzer for strings. The standard analyser brakes up at the "-", that is why you get the term you mentioned. Make the field not_analyzed and you should get better results.
When i use field.raw that fixes the issue...https://github.com/elasticsearch/kibana/issues/364
Using elasticsearch 0.19.4 (I know this is old, but its what is required by a dependency)
I have a field "digest" in an elasticsearch index - and I would like to execute a query that will return me all the cases where there are duplicate values of digest. Can this be done?
For the records that have duplicate values, I would like to return other values - such as "url" which may not be duplicated.
You can use Terms Aggregation for this.
POST <index>/<type>/_search?search_type=count
{
"aggs": {
"duplicateNames": {
"terms": {
"field": "digest",
"size": 0,
"min_doc_count": 2
}
}
}
}
This will return all values of the field digest which occur in at least 2 documents. I agree this does not exactly match to your use case but it might help.
I'm trying to use ElasticSearch to find all records containing a particular string. I'm using a match query for this, and it's working fine.
Now, I'm trying to sort the results based on a particular field. When I try this, I get some very unexpected output, and none of the records even contain my initial search query.
My request is structured as follows:
{
"query":
{
"match": {"_all": "some_search_string"}
},
"sort": [
{
"some_field": {
"order": "asc"
}
}
] }
Am I doing something wrong here?
In order to sort on a string field, your mapping must contain a non-analyzed version of this field. Here's a simple blog post I found that describes how you can do this using the multi_field mapping type.