Timestamp difference in Elasticsearch

Question

I know this has been asked, but ELK seems to be changing very rapidly and maybe something is possible at this point. So, I'm using Kibana 4 and I'm trying to visualize (or at least calculate) time difference between two docs in the query. My docs are logs from batch process with lot of fields and timestamp is one of them (of the type "date"). Would it be possible to calculate time difference between consecutive docs in the query using a scripted field? (doesn't really matter what type will be returned).

I hope I made sense, I'm new to ELK. Thanks in advance.

Dauta

AFAIK scripted metrics are for the same document. If I don't understand wrong, I think you would need [reducers](https://github.com/elastic/elasticsearch/issues/8110) that will be introduced in ES 2.0. — Pigueiras, Jun 26 '15 at 13:45
@Pigueiras So it seems. I'm going to keep an eye on that feature and in the meanwhile I'll try something else like extracting that info from docs and doing an outside calculation. Anyway, thanks for answers, everyone. — Dauta, Jun 26 '15 at 15:46

score 0 · Accepted Answer · answered Jun 26 '15 at 14:02

_From what I understand, you cannot do that in Kibana, for scripted fields apply to documents one by one. However, if all that matters to you is getting the calculated result, you can do this with a scripted_metric agregation in an ES query.

I think it may look like

{
    "sort" : [
        { "mydatefield" : {"order" : "asc"}}
    ],
    "query" : {
        (something of match, range, match_all...)
    },
    "aggregations": {
        "scripted_metric": {
            "init_script": "(declarations, eg :) _agg['myarray']=[]",
            "map_script": (store relevant timestamps in datastructure, eg :) "_ạgg.myarray.add(doc['mydatefield'])",
            "reduce_script": "(aggregate results, eg :) otherarray = [] ; for (x in ạggs){otherarray.putAll(x.myarray)} ;
            (and sort otherarray) ; result = [] ;
           for (i = 0 ; i < otherarray.length-1 ; i++){result.add(otherarray[i+1]-otherarray[i])} ;
           return result ;"
        }
    }
}

That actually did the job! After slight modification here and there. Thanks. — Dauta, Jul 01 '15 at 10:07
Glad I could help. Maybe post your code, might help someone in the future. — bezout, Jul 02 '15 at 11:09

Timestamp difference in Elasticsearch

1 Answers1