Search code examples
jsonelasticsearchquerydsl

Elasticsearch query to get all the value of multiple attributes linked to a keyname

I have below json data:

{
  "_index": "logs",
  "_type": "_doc",
  "_id": "122",
  "_version": 7,
  "_score": null,
  "_source": {
    "Data": {
      "FacTotal": 62701268992,
      "FacFree": 56609468416,
      "FacStatus": "Normal",
      "Version": "2.0",
      "Ip": "192.168.0.106"
    },
    "Created": "2021-01-04T14:13:48.245760",
    "Device": "T1"
    "Customer": "demo1"
    
  },
  "fields": {
    "Data.UpTime": [
      "2021-01-04T14:10:05.000Z"
    ],
    "Created": [
      "2021-01-04T14:13:48.245Z"
    ]
  },
  "sort": [
    1609769628245
  ]
}

Just like above json data, I have multiple data with different Customers and each customers have multiple Device. I have written below query which gives me a list of all the Customers and the count of Devices each customer have.

GET logs/_search
  {
  "size": 0,
  "aggs": {
      "customers": {
          "terms": {
              "field": "Customer.keyword"
          },
          "aggs": {
              "type_count": {
                  "cardinality": {
                      "field": "Device.keyword"
                  }
              }
          }
      }
  }
}

Here is the response:

{
  "took" : 996,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 325,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  },
  "aggregations" : {
    "customers" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "demo1",
          "doc_count" : 141,
          "type_count" : {
            "value" : 5
          }
        },
        {
          "key" : "demo2",
          "doc_count" : 140,
          "type_count" : {
            "value" : 5
          }
        },
        {
          "key" : "demo3",
          "doc_count" : 36,
          "type_count" : {
            "value" : 1
          }
        },
        {
          "key" : "demo4",
          "doc_count" : 8,
          "type_count" : {
            "value" : 1
          }
        }
      ]
    }
  }
}

How can I modify above query so that along with count it also gives us the names of the devices for a customer. Something like below

{
  "key": "demo1",
  "doc_count": 141,
  "type_count": {
      "value": 3
  },
  "device_name": [   <- device name
      "T1",
      "T2",
      "T3"
  ]
}

Thanks

Solution

  • Great start!! You can leverage the terms aggregation

    GET logs/_search
{
  "size": 0,
  "aggs": {
    "customers": {
      "terms": {
        "field": "Customer.keyword"
      },
      "aggs": {
        "device_name": {
          "terms": {
            "field": "Device.keyword",
            "size": 100
          }
        },
        "type_count": {
          "cardinality": {
            "field": "Device.keyword"
          }
        }
      }
    }
  }
}