I need to create a query on elasticsearch for the condition below.
When the last element added with the "rabbitmq.queue.name" attribute is equal to "service_test_error" and the value from "rabbitmq.queue.messages.total.count" is different of "0"
The sql query below works for my search, but I could not to do the same query with elasticsearch
select * from metric where rabbitmq.queue.messages.total.count != '0' and rabbitmq.queue.name = 'service_test_error' and timestamp = (select max(timestamp) from metric where rabbitmq.queue.name = 'service_test_error')
These records below are examples that exist in my metric-xpto index
[
{
"_index": "metric-xpto",
"_type": "_doc",
"_id": "jYP1WnEBmYyEo7K68Zme",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-04-08T18:03:14.899Z",
"rabbitmq": {
"queue": {
"name": "service_test_error",
"messages": {
"total": {
"count": 0
}
}
}
}
}
},
{
"_index": "metric-xpto",
"_type": "_doc",
"_id": "jYP1WnEBmYyEo7K68Zme",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-04-07T18:03:14.899Z",
"rabbitmq": {
"queue": {
"name": "service_test_error",
"messages": {
"total": {
"count": 3
}
}
}
}
}
},
{
"_index": "metric-xpto",
"_type": "_doc",
"_id": "jYP1WnEBmYyEo7K68Zme",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-04-03T17:03:14.899Z",
"rabbitmq": {
"queue": {
"name": "service_alpha_test_error",
"messages": {
"total": {
"count": 8
}
}
}
}
}
},
{
"_index": "metric-xpto",
"_type": "_doc",
"_id": "jYP1WnEBmYyEo7K68Zme",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-04-03T18:03:14.899Z",
"rabbitmq": {
"queue": {
"name": "service_test_error",
"messages": {
"total": {
"count": 8
}
}
}
}
}
}
]
How can I create a similar query using elasticsearch?
In query part you can only fetch top most record and then check has to be in client side on message count.
In aggregation part this can be done.
{
"size": 0,
"query": {
"term": {
"rabbitmq.queue.name.keyword": {
"value": "service_test_error"
}
}
},
"aggs": {
"date": {
"terms": {
"field": "@timestamp",
"size": 1,
"order": {
"_term": "desc"
}
},
"aggs": {
"message_count": {
"terms": {
"field": "rabbitmq.queue.messages.total.count",
"size": 10
},
"aggs": {
"filter_count": {
"bucket_selector": {
"buckets_path": {
"key": "_key"
},
"script": "if(params.key>0) return true; else return false;"
}
}
}
},
"select_timestamp": {
"bucket_selector": {
"buckets_path": {
"key": "message_count._bucket_count"
},
"script": "if(params.key>0) return true;else false;"
}
}
}
}
}
}
Result: If top most records message count is zero then buckets will be empty else there will be data
"hits" : {
"total" : {
"value" : 7,
"relation" : "eq"
},
"max_score" : null,
"hits" : [ ]
},
"aggregations" : {
"date" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 6,
"buckets" : [ ]
}
}
Elastic search doesn't have joins , So in query it is not possible to compare one document with another