0

We want to aggregate some value. For example sake, let's say we are indexing users, who register in an organization.

We want to get the registered users count splitted like :

  • registered from gmail : 900
  • registered via fb : 800
  • registered via yahoo : 700
  • registered via own application : 1500
  • registered via others : 1600

Expected we need to bucket 0 to 1000 users(gmail,fb,yahoo - 3 applications).And 1001 to 2000(own app,other app - 2 applications).Need to bucket like above scenario.

How do we achieve this in elastic search? Any suggestions ?

Thanks

Vijay
  • 344
  • 2
  • 11

1 Answers1

0

Let's say you are indexing user object looks like this :

POST users/user
{
  "login":"user1",
  "organization":"fb"
}

You are trying to aggregate your users by their organization value. For this purpose, you have to use a terms aggregation.

Your query will look like :

POST users/_search?search_type=count
{
  "aggs": {
    "by_organization": {
      "terms": {
        "field": "organization"
      }
    }
  }
}

Note: the search_type=count is here only to have a shorter response as result hits won't be returned (see here).

Your search response will be something like :

{
   (...)
   "aggregations": {
      "by_organization": {
         "doc_count_error_upper_bound": 0,
         "sum_other_doc_count": 0,
         "buckets": [
            {
               "key": "app",
               "doc_count": 4
            },
            {
               "key": "fb",
               "doc_count": 3
            },
            {
               "key": "gmail",
               "doc_count": 2
            }
         ]
      }
   }
}

You can see the buckets corresponding to the each organization value.

Be aware that:

  • Only the top 10 buckets will be returned by default (see size parameter of the terms aggregation)
  • This simple example works as the organization values are simple, but in real life, you will have to set your organization field to not_analyzed in order to aggregate on the original value (and not the terms obtained via analysis)

I strongly invite you to read more about analysis, and the terms aggregation documentation.

ThomasC
  • 7,915
  • 2
  • 26
  • 26
  • actually what we're getting the value is aggregated values like(app - 51,fb - 100,gmail - 30,other - 15).Now we need to split the values like 0 to 50 users (gmail and other).51 to 100 users (app and fb).That we need to bucket these values.Is that possible ? – Vijay Mar 13 '15 at 13:15
  • For now, I think it's not possible : you will have to do it on application-side. However, it's planned to be part of v2.0 (see [related issue](https://github.com/elastic/elasticsearch/issues/9876)). – ThomasC Mar 13 '15 at 13:35
  • Thanks for your info Thomas Cucchietti. – Vijay Mar 16 '15 at 05:05