I'm storing documents related to events that happen daily. They have a name field that denotes the event.
For tracking purposes, I want to specifically track events that happened a week, or a month ago, and also track whether those events ALSO happened the previous week or previous month before that month.
For example, with the time being "now", I want to grab the documents which have names that appear in both:
{
range: { "last_seen" : { "gte" : "now-1w/d", "lte" : "now" } }
}
and
{
range: { "last_seen" : { "gte" : "now-2w/d", "lte" : "now-1w/d" } }
}
So if a document with name "visitor" appears in both ranges, it is counted. If a document with name "shutdown" appears in only one range, it is not counted.
Currently I'm only able to get all unique names that exist between one large range that encompasses both ranges that I want. It is aggregated in a daily date histogram and it lists the unique names for each day.
{
"query": {
"bool": {
"filter": [
{
"term": {
"_type": "events"
}
}
],
"must": {
"range": {
"last_seen": {
"gte": "now-2w/d"
}
}
}
}
},
"size":0,
"aggregations": {
"per_day_events": {
"date_histogram": {
"field" : "last_seen",
"interval" : "day",
"format" : "date",
"time_zone" : "America/New_York"
},
"aggregations" : {
"daily_events": {
"date_range" : {
"field": "last_seen",
"format": "date",
"ranges": [
{ "from" : "now-1w/d" }
]
},
"aggregations" : {
"unique_events": {
"cardinality": {
"field": "name.keyword"
}
}
}
}
}
}
}
}
name is a text field and last seen is a date field.
Is what I want to do possible in a single Elasticsearch query?
