I query an index with wildcard (interactive*) to get all documents for the two indices interactive-foo* & interactive-bar*.
For some of my aggregations all of the indices are relevant but for others only interactive-foo* OR interactive-bar*. So I just want to filter for these 'subindices' in the aggregation.
GET _search { "query":{ "bool": { "must": [ { "range": { "timestamp": { "gte": "2017-08-01 00:00:00", "lte": "2017-08-31 23:59:59" } } }, { "match": { "key": "SOME_KEY" } } ] } }, "size":0, "aggs": { // This one should be filtered and just count for interactive-bar* "bar_count": { "value_count": { "field": "SOME_FIELD" } }, // This one should be filtered and just count for interactive-foo* "foo_count": { "value_count": { "field": "SOME_FIELD" } } } } 1 Answers
Answers 1
You can use a filter aggregation like this:
{ "query": { "bool": { "must": [ { "range": { "timestamp": { "gte": "2017-08-01 00:00:00", "lte": "2017-08-31 23:59:59" } } }, { "match": { "key": "SOME_KEY" } } ] } }, "size": 0, "aggs": { "bar_count": { "filter": { "indices": { "indices": ["interactive-bar-*"] } }, "aggs": { "bar_count": { "value_count": { "field": "SOME_FIELD" } } } }, "foo_count": { "filter": { "indices": { "indices": ["interactive-foo-*"] } }, "aggs": { "foo_count": { "value_count": { "field": "SOME_FIELD" } } } } } } Note though that the indices query has been deprecated in ES 5.0. What you should do instead is to use a terms query on the _index field and list all the indices you want to include in your aggregation, like this:
"size": 0, "aggs": { "bar_count": { "filter": { "terms": { "_index": ["interactive-foo-2017.08.14", "interactive-foo-2017.08.15"] } }, "aggs": { "bar_count": { "value_count": { "field": "SOME_FIELD" } } } }, "foo_count": { "filter": { "terms": { "_index": ["interactive-bar-2017.08.14", "interactive-bar-2017.08.15"] } }, "aggs": { "foo_count": { "value_count": { "field": "SOME_FIELD" } } } } } } 
0 comments:
Post a Comment