How to retrieve timestamp along with minimum value within an elastic aggregation

Question

I am executing aggregations query on an elastic dataset I want to retrieve the maximum and minimum values over a timespan I achieve this with

"aggs": {
    "DateRangeFilter": {
      "filter": {
        "range": {
          "@timestamp": {
            "gte": "2015-10-16T11:13:17.000",
            "lte": "2015-10-16T12:29:47.000"
          }
        }
      },
      "aggs": {
        "min_chan4": {
          "min": {
            "field": "ch_004"
          }
        },
        "max_chan4": {
          "max": {
            "field": "ch_004"
          }
}

and this gives me:

"DateRangeFilter": {
    "doc_count": 153,
    "min_chan4": {
      "value": 0.7463656663894653
    },
    "max_chan4": {
      "value": 5.170884132385254
    }

which is great.

What i need is also to retrieve the time that each of these occurred My documents look like this:

    "_source": {
      "GroupId": "blahblah",
      "@timestamp": "2015-10-14T12:41:30Z",
      "ch_004": 1.5608633995056154
    }

so I would expect to be able to retrieve not only the min and max values over the given date range but also at what time (@timestamp) that min or max value was recorded

e.g. min value minX occurred at time t1, max value maxX occurred at time t2

score 1 · Accepted Answer · answered Dec 06 '17 at 09:38

You can achieve it by using Top Hits Aggregation. example can be found here:

{
  "aggs": {
    "DateRangeFilter": {
      "filter": {
        "range": {
          "@timestamp": {
            "gte": "2015-10-16T11:13:17.000",
            "lte": "2015-10-16T12:29:47.000"
          }
        }
      },
      "aggs": {
        "ch_004_min": {
          "top_hits": {
            "size": 1,
            "sort": [
              {
                "timestamp": {
                  "order": "asc"
                }
              }
            ]
          }
        },
        "ch_004_max": {
          "top_hits": {
            "size": 1,
            "sort": [
              {
                "timestamp": {
                  "order": "desc"
                }
              }
            ]
          }
        }
      }
    }
  }
}

Many thanks for pointing me towards top_hits. With a small change I was able to come up with this which gave the exact answer I was looking for: "top_hits": { "size": 1, "sort": [ { "ch_004": { "order": "desc" } } ], "_source": { "includes": [ "ch_004", "@timestamp"] } } — riketscience, Dec 11 '17 at 10:42

How to retrieve timestamp along with minimum value within an elastic aggregation

1 Answers1