North Dallas Developers Online Curricula

Hands-On Elasticsearch - Part 2 - Aggregates

Basic Terms Aggregates

GET kibana_sample_data_logs/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "range" : {
            "timestamp" : {
                "gte": "2019-04-28T00:00:00",
                "lt": "2019-05-01T00:00:00",
                "time_zone": "-05:00"
            }
          }
        }
      ]
    }
  },
  "aggs": {
    "response_code": {
      "terms": {
        "field": "response.keyword"
      }
    }
  },
  "size": 0
}

Task: Aggregate file extension. Create a visualization to see the data and a query to fetch the raw data.

Time-Based Aggregates

This one mimics the histogram in the Discover tab


GET kibana_sample_data_logs/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "range" : {
              "timestamp" : {
                  "gte": "2019-04-28T00:00:00",
                  "lt": "2019-05-01T00:00:00",
                  "time_zone": "-05:00"
              }
          }
        }
      ]
    }
  },
  "aggs": {
    "log_counts": {
      "date_histogram": {
        "field": "timestamp",
        "interval": "hour"
      }
      
    }
  },
  "size": 0
}

Nested Time-Based Aggregations

What if you wanted requests over time broken out not only by hour but also by extension?

GET kibana_sample_data_logs/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "range" : {
              "timestamp" : {
                  "gte": "2019-04-28T00:00:00",
                  "lt": "2019-05-01T00:00:00",
                  "time_zone": "-05:00"
              }
          }
        }
      ]
    }
  },
  "aggs": {
    "log_counts": {
      "date_histogram": {
        "field": "timestamp",
        "interval": "hour"
      },
      "aggs": {
        "by_extension": {
          "terms": {
            "field": "response.keyword"
          }
        }
      }
    }
  },
  "size": 0
}

Task: Instead of aggregating on response code, aggregate on extension. Create a visualization to see the data and a query to fetch the raw data.

Nested Average Aggregation

GET kibana_sample_data_logs/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "range" : {
              "timestamp" : {
                  "gte": "2019-04-28T00:00:00",
                  "lt": "2019-05-01T00:00:00",
                  "time_zone": "-05:00"
              }
          }
        }
      ]
    }
  },
  "aggs": {
    "log_counts": {
      "date_histogram": {
        "field": "timestamp",
        "interval": "hour"
      },
      "aggs": {
        "avg_bytes": {
          "avg": {
            "field": "bytes"
          }
        }
      }
    }
  },
  "size": 0
}

Range Aggregation

GET kibana_sample_data_logs/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "range" : {
            "timestamp" : {
                "gte": "2019-04-28T00:00:00",
                "lt": "2019-05-01T00:00:00",
                "time_zone": "-05:00"
            }
          }
        }
      ]
    }
  },
  "aggs": {
    "response_code": {
      "range": {
        "field": "bytes",
        "ranges": [
          { "to": 5000 },
          { "from": 5000, "to": 10000 },
          { "from": 10000, "to": 15000 },
          { "from": 15000, "to": 20000 },
          { "from": 20000 }
        ]
      }
    }
  },
  "size": 0
}