Elasticsearch aggregation over timestamp

Question

I'm having the following document in ElasticSearch:

"ipAddress": "192.168.10.12", "timestamp": "25 Oct 2015 20:00:00", "switchovers": 2

"ipAddress": "192.168.10.12", "timestamp": "26 Oct 2015 20:00:00", "switchovers": 1

How can I write an elasticsearch aggregation to find out switchovers[today] - switchovers[yesterday] grouped by IP address?

This is where i'm at:

{
"size": 0,
"query": {
  "match_all": {}
},
    "aggs": {
      "switchover_count_over_time": {
        "terms": {
          "field": "ipAddress"
        },
      }
  }
}'

Yet to figure out how to extract switchovers for each date (from oct. for example) and compute the difference from the previous day's switchover value..

Any help?

You won't be able to compute the difference. You will need to handle this in your app. — Evaldas Buinauskas, Nov 24 '15 at 11:35
Can't I make use of [scripting aggregation feature](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-scripted-metric-aggregation.html) here? — Skanda Nag, Nov 24 '15 at 11:37
Perhaps you can. But I find it better to handle this in your app code rather than Elastic. That's just my opinion. — Evaldas Buinauskas, Nov 24 '15 at 11:38
The thing which restricts me from computing this logic outside is that ultimately we want to write similar aggregations on the fly without relying on any app.. And visualize this result in Kibana if possible. — Skanda Nag, Nov 24 '15 at 11:47

score 1 · Answer 1 · answered Nov 24 '15 at 12:03

You can use date histogram aggregation on a date/timestamp field.Here is the linkhttps://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-datehistogram-aggregation.html.Add a terms aggregation on ipaddress/switchovers inside the date_histogram aggregation.

{
    "aggs" : {
        "date_interval" : {
            "date_histogram" : {
                "field" : "date",
                "interval" : "month"
            }, "aggs": {
              "switch_over": {
                "terms": {
                  "field": "ip/switchovers",
                  "size": 100
                }
              }
            }
        }
    }
}

Hope this works for you.

Elasticsearch aggregation over timestamp

1 Answers1