I have documents from different applications in one index, with application name a field in each document. Now I want to count the number of documents per application per day. The application name is in string format, so I cannot use a filter term for it. While the below GET query does the filtering per application
{
"query": {
"filtered": {
"query": {
"query_string": {
"query": "+environmentType:prod +application:app1",
"analyze_wildcard": true
}
}
}
}
}
and I can use this aggregation for simple daily counts
{
"aggs": {
"simpleDatehHistogram": {
"date_histogram": {
"field": "timestamp",
"interval": "day"
}
}
}
}
I don't seem to be able to combine them so that the application filter is applied to my aggregation results.
This is the mapping of my index.
{
"myIndex" : {
"mappings" : {
"myType" : {
"properties" : {
"application" : {
"type" : "string"
},
"environmentType" : {
"type" : "string"
},
"event" : {
"properties" : {
"Id" : {
"type" : "long"
},
"documentId" : {
"type" : "string"
},
}
},
"hostname" : {
"type" : "string"
},
"id" : {
"type" : "string"
},
"timestamp" : {
"type" : "date",
"format" : "dateOptionalTime"
},
"timestampEpoch" : {
"type" : "long"
},
"type" : {
"type" : "string"
},
"version" : {
"type" : "string"
}
}
}
}
}
}
Use this to combine them:
{
"size":0,
"query":{
"filtered":{
"query":{
"query_string":{
"query":"+environmentType:prod +application:app1",
"analyze_wildcard":true
}
}
}
},
"aggs":{
"simpleDatehHistogram":{
"date_histogram":{
"field":"timestamp",
"interval":"day"
}
}
}
}