0

REST api call

GET test10/LREmail10/_search/
    {
       "size": 10,
       "query": {
          "range": {
             "ALARM DATE": {
                "gte": "now-15d/d",
                "lt": "now/d"
             }
          }
       },
       "fields": [
          "ALARM DATE",
          "CLASSIFICATION"
       ]
    }

part of out put is,

 "took": 25,
   "timed_out": false,
   "_shards": {
      "total": 5,
      "successful": 5,
      "failed": 0
   },
   "hits": {
      "total": 490,
      "max_score": 1,
      "hits": [
         {
            "_index": "test10",
            "_type": "LREmail10",
            "_id": "AVM5g6XaShke4hy5dziK",
            "_score": 1,
            "fields": {
               "CLASSIFICATION": [
                  "Attack"
               ],
               "ALARM DATE": [
                  "25/02/2016 8:35:22 AM(UTC-08:00)"
               ]
            }
         },
         {
            "_index": "test10",
            "_type": "LREmail10",
            "_id": "AVM5g6e_Shke4hy5dziL",
            "_score": 1,
            "fields": {
               "CLASSIFICATION": [
                  "Compromise"
               ],
               "ALARM DATE": [
                  "25/02/2016 8:36:16 AM(UTC-08:00)"
               ]
            }
         },

What I really want to do here is, aggregate CLASSIFICATION by ALARM DATE. Default format of the date has minutes, seconds and time-zone too. But I want to aggrigate all the classifications for each and everydate. So, "25/02/2016 8:36:16 AM(UTC-08:00)" and "25/02/2016 8:35:22 AM(UTC-08:00)" should be considered as "25/02/2016" date. and get the all the classifications belong to a single date.

I wish that I have explained question properly. If you guys need any more details let me know.

If anyone, can give me a hint to look what area in Elasticsearch is also very helpful.

Improve this question

1 Answer 1

Reset to default
1

Use date_histogram like below.

 {
 "size" :0 ,
 "aggs": {
        "classification of day": {
           "date_histogram": {
              "field": "ALARM DATE",
              "interval": "day"
           },
           "aggs": {
              "classification": {
                 "terms": {
                    "field": "CLASSIFICATION"
                 }
              }
           }
        }
     }
  }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.