I wrote a query in Opensearch to collect last 24h errors and last 1h errors in 2 buckets: errors_1h and errors_24h. The query returns me errors from last 24h and last 1h and now I'm trying to to an average value for errors in last 24h so an average for numbers of documents from errors_24h bucket.
I tried with avg_bucket but from documentation I find out that this is used with parent-sibling aggregations and I have just one aggregation.
This is what I did so far:
{
"size": 0,
"track_total_hits": true,
"aggregations": {
"error_buckets": {
"filters": {
"filters": {
"errors_1h": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-1h",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
},
{
"match_phrase": {
"level": {
"query": "Error",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"errors_24h": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-24h",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
},
{
"match_phrase": {
"level": {
"query": "Error",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
}
},
"other_bucket": false,
"other_bucket_key": "_other_"
}
},
"avg_average_number": {
"avg_bucket": {
"buckets_path": "error_buckets>_count"
}
},
"total_metric": {
"value_count": {
"field": "@timestamp"
}
}
}
}
The response:
{
"_shards": {
"total": 155,
"failed": 0,
"successful": 155,
"skipped": 0
},
"hits": {
"hits": [],
"total": {
"value": 122820458,
"relation": "eq"
},
"max_score": null
},
"took": 1073,
"timed_out": false,
"aggregations": {
"error_buckets": {
"meta": {},
"buckets": {
"errors_24h": {
"doc_count": 131571
},
"errors_1h": {
"doc_count": 5304
}
}
},
"avg_average_number": {
"value": 68437.5
},
"total_metric": {
"value": 118440807
}
}
}