Search code examples
elasticsearchaggregationgroup-concat

Elasticsearch aggregation similar to group_concat

I am new to elasticsearch and I would like to create a group_concat aggregation. But I don't know how. Can someone help me please.

The example data:

POST /example_measures/_bulk
{"index":{"_id":1}}
{"id":"1","datapoint_id":"1","datetime":"1577833200000","value":"5"}
{"index":{"_id":2}}
{"id":"2","datapoint_id":"2","datetime":"1577833210000","value":"51"}
{"index":{"_id":3}}
{"id":"3","datapoint_id":"2","datetime":"1577833220000","value":"77"}

What i want expressed in sql:

select 
datapoint_id, 
group_concat(`datetime` order by `datetime` SEPARATOR ',' limit 5) as dt, 
group_concat(`value` order by `datetime` SEPARATOR ',' limit 5) as val 
from example_measures 
group by datapoint_id;

I would like to have 2 arrays per data point. One with the timestamps and one with the values.

I had no success with the sql syntax because group_concat is not supported in the sql input:

POST /_sql?format=txt
{
  "query":"..."
}

I use Kibana and the Dev Tools for input.

Solution

  • You can achieve your use case, by using Terms Aggregation on datapoint_id field. This will create buckets - one pe unique value of datapoint_id. And, then you can further embed buckets inside these unique buckets using sub aggregations.

    Search Query:

    {
  "size": 0,
  "aggs": {
    "id": {
      "terms": {
        "field": "datapoint_id.keyword"
      },
      "aggs": {
        "dt": {
          "terms": {
            "field": "datetime.keyword",
            "order": { "_key" : "asc" },
            "size": 5
          }
        },
        "val": {
          "terms": {
            "field": "value.keyword",
            "size": 5
          }
        }
      }
    }
  }
}

    Search Result:

    "aggregations": {
    "id": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": [
        {
          "key": "2",
          "doc_count": 2,
          "val": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "key": "51",
                "doc_count": 1
              },
              {
                "key": "77",
                "doc_count": 1
              }
            ]
          },
          "dt": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "key": "1577833210000",
                "doc_count": 1
              },
              {
                "key": "1577833220000",
                "doc_count": 1
              }
            ]
          }
        },
        {
          "key": "1",
          "doc_count": 1,
          "val": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "key": "5",
                "doc_count": 1
              }
            ]
          },
          "dt": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "key": "1577833200000",
                "doc_count": 1
              }
            ]
          }
        }
      ]
    }
  }