Elasticsearch 7 Timeseries

• How many Events Happend?
• How many Events had the User Agent Firefox?

How many Events Happend?

We already worked with Timeseries when we created histograms from our server logs in Kinbana. The query that was run in the background to create those visualisations looks something like:

curl -H "Content-Type: application/json" -XGET 'localhost:9200/apache-access-log/_search?size=0&pretty' -d'
{
  "aggs": {
    "timestamp": {
      "date_histogram": {
        "field": "@timestamp",
        "interval": "day"
      }
    }
  }
}'

This will run the query on my Apache Access Log and result in a list of how many events (documents) happened each day:

"aggregations" : {
    "timestamp" : {
      "buckets" : [
        {
          "key_as_string" : "2017-04-30T00:00:00.000Z",
          "key" : 1493510400000,
          "doc_count" : 14166
        },
        {
          "key_as_string" : "2017-05-01T00:00:00.000Z",
          "key" : 1493596800000,
          "doc_count" : 15948
        },
        {
          "key_as_string" : "2017-05-02T00:00:00.000Z",
          "key" : 1493683200000,
          "doc_count" : 16278
        },
        {
          "key_as_string" : "2017-05-03T00:00:00.000Z",
          "key" : 1493769600000,
          "doc_count" : 21172
        },
        {
          "key_as_string" : "2017-05-04T00:00:00.000Z",
          "key" : 1493856000000,
          "doc_count" : 16762
        },
        {
          "key_as_string" : "2017-05-05T00:00:00.000Z",
          "key" : 1493942400000,
          "doc_count" : 18646
        }
      ]
    }
  }

How many Events had the User Agent Firefox?

Just as before we are now able to combine our aggregation with a filter query that narrows down our results. For example, how many user that interacted with our web service used Firefox as their browser:

curl -H "Content-Type: application/json" -XGET 'localhost:9200/apache-access-log/_search?size=0&pretty' -d'
{
  "query" : {
    "match": {
      "agent.name": "Firefox"
    }
  },
  "aggs": {
    "timestamp": {
      "date_histogram": {
        "field": "@timestamp",
        "interval": "day"
      }
    }
  }
}'

"aggregations" : {
    "timestamp" : {
      "buckets" : [
        {
          "key_as_string" : "2017-04-30T00:00:00.000Z",
          "key" : 1493510400000,
          "doc_count" : 1532
        },
        {
          "key_as_string" : "2017-05-01T00:00:00.000Z",
          "key" : 1493596800000,
          "doc_count" : 2551
        },
        {
          "key_as_string" : "2017-05-02T00:00:00.000Z",
          "key" : 1493683200000,
          "doc_count" : 2861
        },
        {
          "key_as_string" : "2017-05-03T00:00:00.000Z",
          "key" : 1493769600000,
          "doc_count" : 2615
        },
        {
          "key_as_string" : "2017-05-04T00:00:00.000Z",
          "key" : 1493856000000,
          "doc_count" : 1099
        },
        {
          "key_as_string" : "2017-05-05T00:00:00.000Z",
          "key" : 1493942400000,
          "doc_count" : 1264
        }
      ]
    }
  }