Skanda Nag
Reputation: 23
Elasticsearch aggregation over timestamp
I'm having the following document in ElasticSearch:
"ipAddress": "192.168.10.12", "timestamp": "25 Oct 2015 20:00:00", "switchovers": 2
"ipAddress": "192.168.10.12", "timestamp": "26 Oct 2015 20:00:00", "switchovers": 1
How can I write an elasticsearch aggregation to find out switchovers[today] - switchovers[yesterday] grouped by IP address?
This is where i'm at:
{
"size": 0,
"query": {
"match_all": {}
},
"aggs": {
"switchover_count_over_time": {
"terms": {
"field": "ipAddress"
},
}
}
}'
Yet to figure out how to extract switchovers for each date (from oct. for example) and compute the difference from the previous day's switchover value..
Any help?
Upvotes: 2
Views: 3491
Answers (1)
user3775217
Reputation: 4803
You can use date histogram aggregation on a date/timestamp field.Here is the linkhttps://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-datehistogram-aggregation.html.Add a terms aggregation on ipaddress/switchovers inside the date_histogram aggregation.
{
"aggs" : {
"date_interval" : {
"date_histogram" : {
"field" : "date",
"interval" : "month"
}, "aggs": {
"switch_over": {
"terms": {
"field": "ip/switchovers",
"size": 100
}
}
}
}
}
}
Hope this works for you.
Upvotes: 2
Related Questions
- Store time related data in ElasticSearch
- Convert timestamps to datetime for use in Elasticsearch aggregations
- Elasticsearch: Aggregation with filtering by timestamp
- Elasticsearch api - order aggregation by @timestamp
- Elasticsearch Date Aggregations
- Elasticsearch aggregation on date range
- Elasticsearch term aggregation and range with timestamp
- ElasticSearch: Agregation on a datetime field
- Elasticsearch: Date Aggregation Most Recent
- Aggregation over "LastUpdated" property or _timestamp