I'm trying to get a total count of my aggregations based on group_by_asset's field:summary.severity. Below is my es query:
{
"runtime_mappings": {
// Your runtime mappings here
},
"aggs": {
"histogram_data": {
"date_histogram": {
"field": "timestamp",
"calendar_interval": "day",
"extended_bounds": {
"min": "2023-06-12T07:00:00.000Z",
"max": "2024-06-11T19:11:32.532Z"
}
},
"aggs": {
"group_by_asset": {
"multi_terms": {
"terms": [
{ "field": "asset.id" },
{ "field": "summary.severity" }, // This is what I want
{ "field": "asset.name", "missing": "N/A" }
]
}
}
}
}
},
"query": {
...
}
}
The result I'm getting is a breakdown for each day:
{
"group_by_asset": {
"buckets": [
{
"key_as_string": "...",
"key": ["123", 2, "BLT"], // This is what I want
"doc_count": 1
}
],
"sum_other_doc_count": 0,
"doc_count_error_upper_bound": 0
},
"key_as_string": "2024-04-18T00:00:00.000Z",
"key": 1713398400000,
"doc_count": 1
},
"group_by_asset": {
...
What I'm interested in is this part: "key": ["123", 2, "BLT"], where I want to keep track of the counts for severity values 1 or 2 within the bucket. So this total will have:
how_many_ones : <number>,
how_many_twos: <number>
I've tried reorganizing the aggregations, using multiple aggregations, moving them into each other. Any suggestions on how to structure the query to achieve this?
I might be still missing something in your question, but the most obvious solution would be to just add a terms aggregation for the summary.severity field on the same level as histogram:
{
"runtime_mappings": {
// Your runtime mappings here
},
"aggs": {
"by_severity": {
"terms": { "field": "summary.severity" }
},
"histogram_data": {
"date_histogram": {
"field": "timestamp",
"calendar_interval": "day",
"extended_bounds": {
"min": "2023-06-12T07:00:00.000Z",
"max": "2024-06-11T19:11:32.532Z"
}
},
"aggs": {
"group_by_asset": {
"multi_terms": {
"terms": [
{ "field": "asset.id" },
{ "field": "summary.severity" }, // This is what I want
{ "field": "asset.name", "missing": "N/A" }
]
}
}
}
}
},
"query": {
...
}
}