Get the max value of a nested aggregated object
I have this kind of doc structure :
{
"_index": "infra-metrics",
"_id": "C4-XIIwBNCt3Y4ACckwp",
"_score": 1,
"_source": {
"resourceId": "e5735563-2b4c-46e9-a38d-4728a5617ebc",
"tenantId": "d7842881-31c9-4974-bc87-7a621ba440a5",
"timestamp": "2023-11-30T14:17:24.627",
"points": [
{
"measurement": "win_logical_disk",
"precison": "MILLISECONDS",
"size": 1000186310656,
"free": 173625864192,
"name": "C:",
"load": 83
},
{
"measurement": "win_logical_disk",
"precison": "MILLISECONDS",
"size": 999559262208,
"free": 554817146880,
"name": "D:",
"load": 44
}
]
}
}
I need the max load of each disk of each day for the past 29 days, how can I achieve that ?
I firstly thought about making this query :
{
"size": 0,
"query": {
"bool": {
"must": [
{
"range": {
"timestamp": {
"gte": "now-29d/d",
"lte": "now/d"
}
}
},
{
"term": {
"resourceId.keyword": {
"value": "e5735563-2b4c-46e9-a38d-4728a5617ebc"
}
}
},
{
"term": {
"tenantId.keyword": {
"value": "d7842881-31c9-4974-bc87-7a621ba440a5"
}
}
},
{
"bool": {
"should": [
{
"term": {
"points.measurement.keyword": {
"value": "win_logical_disk"
}
}
},
{
"term": {
"points.measurement.keyword": {
"value": "lnx_logical_disk"
}
}
},
{
"term": {
"points.measurement.keyword": {
"value": "ibmi_asp"
}
}
}
]
}
}
]
}
},
"aggs": {
"date_histogram": {
"date_histogram": {
"field": "timestamp",
"calendar_interval": "day",
"extended_bounds": {
"min": "now-29d/d",
"max": "now/d"
}
},
"aggs": {
"disk": {
"terms": {
"field": "points.name.keyword"
},
"aggs": {
"max": {
"max": {
"field": "points.load"
}
}
}
}
}
}
}
}
Let's say I only have 1 doc today, the one that I provided abov. If i run the above query, it returns me this :
{
"key_as_string": "2023-11-30T00:00:00.000Z",
"key": 1701302400000,
"doc_count": 13,
"disk": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "C:",
"doc_count": 13,
"max": {
"value": 83
}
},
{
"key": "D:",
"doc_count": 13,
"max": {
"value": 83
}
}
]
}
}
But I want the query to return :
For "C:" : 83 For "D:" : 44
I know why it doesn't work but I have no idea how to do it.
Any ideas ?
Thanks
The reason is you are using object field type. The issue will be fixed if you use the nested field type. Check this article for more information.
Here are some useful informations for object vs nested:
Object fields are used when the structure of the sub-fields is important, but not the relationships between them. They are indexed as separate and independent fields, and can be queried independently. However, if you need to maintain the relationships between the sub-fields, object fields may not be suitable because they don't keep the correlation between the sub-fields.
On the other hand, nested fields are used when you need to maintain the relationships between the sub-fields. They are indexed as separate hidden documents, which allows for querying that maintains the relationships between the sub-fields. This is particularly useful when you have arrays of objects and you want to query objects that match multiple criteria.
Here is an example for you.
PUT measurement/_doc/1
{
"resourceId": "e5735563-2b4c-46e9-a38d-4728a5617ebc",
"tenantId": "d7842881-31c9-4974-bc87-7a621ba440a5",
"timestamp": "2023-11-30T14:17:24.627",
"points": [
{
"measurement": "win_logical_disk",
"precison": "MILLISECONDS",
"size": 1000186310656,
"free": 173625864192,
"name": "C:",
"load": 83
},
{
"measurement": "win_logical_disk",
"precison": "MILLISECONDS",
"size": 999559262208,
"free": 554817146880,
"name": "D:",
"load": 44
}
]
}
GET measurement/_search
{
"size": 0,
"aggs": {
"date_histogram": {
"date_histogram": {
"field": "timestamp",
"calendar_interval": "day",
"extended_bounds": {
"min": "now-29d/d",
"max": "now/d"
}
},
"aggs": {
"disk": {
"terms": {
"field": "points.name.keyword"
},
"aggs": {
"max": {
"max": {
"field": "points.load"
}
}
}
}
}
}
}
}
PUT measurement_nested
{
"mappings": {
"properties": {
"points": {
"type": "nested"
}
}
}
}
POST _reindex
{
"source": {
"index": "measurement"
},
"dest": {
"index": "measurement_nested"
}
}
GET measurement_nested/_search
{
"size": 0,
"aggs": {
"date_histogram": {
"date_histogram": {
"field": "timestamp",
"calendar_interval": "day",
"extended_bounds": {
"min": "now-29d/d",
"max": "now/d"
}
},
"aggs": {
"disk": {
"nested": {
"path": "points"
},
"aggs": {
"NAME": {
"terms": {
"field": "points.name.keyword"
},
"aggs": {
"max": {
"max": {
"field": "points.load"
}
}
}
}
}
}
}
}
}
}
- Constrain a Specman list so it doesn't have identical values in consecutive elements
- How to type cast a list of uint to a list of vr_ahb_data in Specman?
- Static fields/methods in e
- What is the difference between deep_copy and gen keeping in Specman?
- Specman UVM: What is the difference between write_reg { .field == 2;}; and write_reg_fields?
- Does Specman support optional parameters to a method?
- Specman e: When colon equal sign ":=" should be used?
- Specman e: Is there a way to know how many values there is in an enumerated type?
- Specman e error: No match for file when using "for each line in file"
- How to run e file one by one? Not in parallel test
- Specman/e constraint (for each in) iteration
- Specman e: How driver's items queue can be locked from a sequence?
- Specman e: How to print variable's address?
- Specman e: "keep type .. is a" fails to refine the type of a field
- Specman soft select on variable, decimal vs. hexadecimal values
- Specman e: How to print a pointer to a struct?
- Specman e: Is there a way to print unit instance name?
- Specman e: simultaneous events error
- Specman e coverage: ignored values appear in the coverage statistics
- Specman e: How a sequence should be started when gen_and_start_main constrained to FALSE?
- Specman/e list of lists (multidimensional array)
- Does Specman e have struct constructor?
- Specman e: How the predefined sequence.item should be used?
- Specman e: define-as-computed macro error
- Specman e UVM: Why to inherit from uvm_* units?
- Specman e: A sequence drives its BFM also its MAIN was not defined in a test
- e HVL (IEEE 1647): expect expression fails unexpectedly
- Specman e subtyping: How to refer to FALSE value of conditional field in when/extend subtyping?
- e HVL (IEEE 1647): How to set 'X' value?
- Difference between declaring an event that is sensitive to a simple_port value and event_port