Aggregations on filtered data

In our quest to learn about different bucket aggregations, let's take a very short detour to understand how to apply aggregations on filtered data. So far, we have been applying all of our aggregations on all the data of the given index/type. In the real world, you will almost always need to apply some filters before applying aggregations (either metric or bucket aggregations).

Let's revisit the example that we looked at in the Terms aggregation section. We found out the top categories in the whole index and type. Now, what we want to do is find the top category for a specific customer, not for all of the customers:

GET /bigginsight/_search?size=0&track_total_hits=true
{
  "query": {
    "term": {
      "customer": "Linkedin"
    }
  }, 
  "aggs": {                           
    "byCategory": {                   
      "terms": {                      
        "field": "category"           
      }
    }
  }                        
}

We modified the original query, which found the top categories, with an additional query (highlighted in the preceding query in bold). We added a query, and inside that query, we added a term filter for a specific customer that we were interested in. 

This type of query, when used with any type of aggregation, changes the context of the data on which aggregations are calculated. The query/filter decides the data that the aggregations will be run on.

Let's look at the response of this query to understand this better:

{
  "took": 18,
  ...,
  "hits": {
    "total" : {
      "value" : 76607,
      "relation" : "eq"
    },
    "max_score": 0,
    "hits": []
  },
  ...
}

The hits.total element in the response is now much smaller than the earlier aggregation query, which was run on the whole index and type. We may also want to apply more filters to limit the query to a smaller time window.

The following query applies multiple filters and makes the scope of the aggregation more specific. It does this for a customer, and within some subset of the time interval:

GET /bigginsight/_search?size=0
{
  "query": {
    "bool": {
      "must": [
        {"term": {"customer": "Linkedin"}}, 
        {"range": {"time": {"gte": 1506277800000, "lte": 1506294200000}}}
      ]
    }
  },
  "aggs": {
    "byCategory": {
      "terms": {
        "field": "category"
      }
    }
  }
}

This is how the scope of aggregation can be modified using filters. Now, we will continue on our detour of learning about different bucket aggregations and look at how to nest metric aggregations inside bucket aggregations.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset