Elasticsearch Date Range Aggregation - Syntax, Example, and Tips

Pulse - Elasticsearch Operations Done Right

On this page

Syntax Example Usage Common Issues Best Practices Frequently Asked Questions

The Date Range Aggregation in Elasticsearch is used to group documents based on date fields into specified date ranges. It allows you to define buckets based on date ranges. Each bucket will contain documents that fall within its date range. This is especially helpful when you need to analyze data over specific time periods or intervals.

Syntax

The basic syntax for a Date Range Aggregation is:

{
  "aggs": {
    "date_ranges": {
      "date_range": {
        "field": "date_field",
        "ranges": [
          { "to": "now-10M/M" },
          { "from": "now-10M/M" }
        ]
      }
    }
  }
}

For more detailed information, refer to the official Elasticsearch documentation on Date Range Aggregation.

Example Usage

Here's an example that groups documents into three date ranges:

GET /sales/_search
{
  "aggs": {
    "sales_over_time": {
      "date_range": {
        "field": "date",
        "format": "yyyy-MM-dd",
        "ranges": [
          { "to": "2023-01-01", "key": "old" },
          { "from": "2023-01-01", "to": "2023-07-01", "key": "current" },
          { "from": "2023-07-01", "key": "future" }
        ]
      }
    }
  }
}

This query will create three buckets: "old" (before 2023), "current" (first half of 2023), and "future" (second half of 2023 and beyond).

Common Issues

  1. Date format mismatches: Ensure that the date format in your query matches the format of your data.
  2. Timezone confusion: Be aware of timezone differences when setting date ranges.
  3. Performance with large datasets: Date Range Aggregations can be resource-intensive on very large datasets.

Best Practices

  1. Use appropriate date formats and be consistent across your index and queries.
  2. Consider using the keyed response format for easier parsing of results.
  3. Combine with other aggregations (like sum or avg) for more insightful analysis.
  4. Use caching for frequently run queries to improve performance.

Frequently Asked Questions

Q: Can I use relative dates in Date Range Aggregation?
A: Yes, you can use date math expressions like "now-1d" or "now/w" in your range definitions.

Q: How does Date Range Aggregation handle documents with missing date fields?
A: By default, documents with missing date fields are ignored. You can use the missing parameter to assign these documents to a specific bucket.

Q: Can I use custom date formats in Date Range Aggregation?
A: Yes, you can specify custom date formats using the format parameter in your aggregation.

Q: Is it possible to have overlapping date ranges?
A: Yes, you can define overlapping date ranges. Documents that fall into multiple ranges will be counted in each applicable bucket.

Q: How can I optimize Date Range Aggregation for better performance?
A: Use appropriate index settings, consider using date histograms for high-cardinality date fields, and leverage caching for frequently run queries.

Pulse - Elasticsearch Operations Done Right

All the Elasticsearch support you'll ever need

Free Trial

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.