How to limit results of an aggregated query with a simple filter in OpenSearch

Question

I am new to OpenSearch, I tried to find it in documentation but couldn't figure it out. I have a aggregation query

{
    "size": 0,
    "aggs": {
        "records_per_day": {
            "date_histogram": {
                "field": "@timestamp",
                "interval": "day"
            }
        }
    }
}

This returns a lot of records however, I want to add a filter to show records only later than a particular timestamp(within 7 days only).

{
    "query": {
        "range": {
            "@timestamp": {
                "from": "now-7d",
                "to": "now"
            }
        }
    }
}

How can I add this filter to the first query?

Answer 1

I figured it out, the above can be achieved by the following query:

{
  "size": 0,
  "query": {
    "range": {
      "@timestamp": {
        "from": "now-7d/d",
        "to": "now/d"
      }
    }
  },
  "aggs": {
    "records_per_day": {
      "date_histogram": {
        "field": "@timestamp",
        "interval": "1d",
        "format": "yyyy-MM-dd",
        "min_doc_count": 0,
        "extended_bounds": {
          "min": "now-7d/d",
          "max": "now/d"
        }
      }
    }
  }
}

Answer 2

With the range query, you must use the operators:

• gte (greater than or equal to)
• gt (greather than)
• lte (less than or equal to)
• lt (less than).

To filter for only seven last days, you will implement the query this way:

"query": {
  "range": {
    "@timestamp": {
      "gte": "now-7d"
    }
  }
},
"sort": [
  {
    "@timestamp": {
      "order" : "asc"
    }
  }
]

The sort clause is optional, but in cases like this it helps to put the response in the right order. For more information about the range query: https://opensearch.org/docs/latest/query-dsl/term/range