What if we don't want all the buckets to have the same interval? It's possible to create unequal sized buckets by using the range aggregation.
The following range aggregation slices the data into three buckets: up to 1 KB, 1 KB to 100 KB, and 100 KB or more. Notice that we can specify from and to in the ranges. Both from and to are optional in the range. If only to is specified, that bucket includes all the documents up to the specified value in that bucket. The to value is exclusive, and is not included in the current bucket's range:
POST /bigginsight/_search?size=0
{
"aggs": {
"by_usage": {
"range": {
"field": "usage",
"ranges": [
{ "to": 1024 },
{ "from": 1024, "to": 102400 },
{ "from": 102400 }
]
}
}
}
}
The response of this request will look similar to the following:
{
...,
"aggregations": {
"by_usage": {
"buckets": [
{
"key": "*-1024.0",
"to": 1024,
"doc_count": 31324
},
{
"key": "1024.0-102400.0",
"from": 1024,
"to": 102400,
"doc_count": 207498
},
{
"key": "102400.0-*",
"from": 102400,
"doc_count": 4013
}
]
}
}
}
It is possible to specify custom key labels for the range buckets, as follows:
POST /bigginsight/_search?size=0
{
"aggs": {
"by_usage": {
"range": {
"field": "usage",
"ranges": [
{ "key": "Upto 1 kb", "to": 1024 },
{ "key": "1 kb to 100 kb","from": 1024, "to": 102400 },
{ "key": "100 kb and more", "from": 102400 }
]
}
}
}
}
The resulting buckets will have the keys set with each bucket. This is helpful for looking up the relevant bucket from the response without iterating through all the buckets.
There are more aggregations available for numerical data, but covering all of these aggregations is beyond the scope of this book.
Next, we will look at a couple of important concepts related to bucket aggregation and aggregations in general.