Menu
I have data as following:
{"action":"CREATE","docs":1,"date":"2016 Jun 26 12:00:12","userid":"1234"}
{"action":"REPLACE","docs":2,"date":"2016 Jun 27 12:00:12","userid":"1234"}
{"action":"REPLACE","docs":1,"date":"2016 Jun 27 13:00:12","userid":"1234"}
{"action":"CREATE","docs":1,"date":"2016 Jun 28 12:00:12","userid":"3431"}
{"action":"REPLACE","docs":2,"date":"2016 Jun 28 13:00:12","userid":"3431"}
{"action":"CREATE","docs":1,"date":"2016 Jun 29 12:00:12","userid":"9999"}
To get records for each unique user order by date(descending), I used Top Hits like the one below:
"aggs": {
"user_bucket": {
"terms": {
"field": "userid"
},
"aggs": {
"user_latest_count": {
"top_hits": {
"size": 1,
"sort": [
{
"data": {
"order": "desc"
}
}
],
"_source": {
"include": [
"docs"
]
}
}
}
}
}
}
The result of above query is as following:
{"action":"REPLACE","docs":1,"date":"2016 Jun 27 13:00:12","userid":"1234"}
{"action":"REPLACE","docs":2,"date":"2016 Jun 28 13:00:12","userid":"3431"}
{"action":"CREATE","docs":1,"date":"2016 Jun 29 12:00:12","userid":"9999"}
Now, I want to aggregate this further so that the result is as following:
{"sum_of_different_buckets": 4}
But not sure how to SUM the field "docs" value from the result obtained above.
958
You can have other aggregation on a parallel level of top_hit but you cannot have any sub_aggregation below top_hit. It is not supported by elasticsearch. here is the link to github issue
But if you want to have sum at the same level, you may use the approach below.
"aggs": {
"top_hits_agg": {
"top_hits": {
"size": 10,
"_source": {
"includes": ["docs"]
}
}
},
"sum_agg": {
"sum": {
"field": "docs"
}
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
