2

I'm having the following document in ElasticSearch:

"ipAddress": "192.168.10.12", "timestamp": "25 Oct 2015 20:00:00", "switchovers": 2

"ipAddress": "192.168.10.12", "timestamp": "26 Oct 2015 20:00:00", "switchovers": 1

How can I write an elasticsearch aggregation to find out switchovers[today] - switchovers[yesterday] grouped by IP address?

This is where i'm at:

{
"size": 0,
"query": {
  "match_all": {}
},
    "aggs": {
      "switchover_count_over_time": {
        "terms": {
          "field": "ipAddress"
        },
      }
  }
}'

Yet to figure out how to extract switchovers for each date (from oct. for example) and compute the difference from the previous day's switchover value..

Any help?

Improve this question
4
  • You won't be able to compute the difference. You will need to handle this in your app. Commented Nov 24, 2015 at 11:35
  • Can't I make use of scripting aggregation feature here? Commented Nov 24, 2015 at 11:37
  • Perhaps you can. But I find it better to handle this in your app code rather than Elastic. That's just my opinion. Commented Nov 24, 2015 at 11:38
  • The thing which restricts me from computing this logic outside is that ultimately we want to write similar aggregations on the fly without relying on any app.. And visualize this result in Kibana if possible. Commented Nov 24, 2015 at 11:47

1 Answer 1

Reset to default
2

You can use date histogram aggregation on a date/timestamp field.Here is the linkhttps://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-datehistogram-aggregation.html.Add a terms aggregation on ipaddress/switchovers inside the date_histogram aggregation.

{
    "aggs" : {
        "date_interval" : {
            "date_histogram" : {
                "field" : "date",
                "interval" : "month"
            }, "aggs": {
              "switch_over": {
                "terms": {
                  "field": "ip/switchovers",
                  "size": 100
                }
              }
            }
        }
    }
}

Hope this works for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.