Elasticsearch Max Bucket Aggregation - Syntax, Example, and Tips

Pulse - Elasticsearch Operations Done Right

On this page

Syntax Example Usage Common Issues Best Practices Frequently Asked Questions

The Max Bucket Aggregation is a sibling pipeline aggregation that identifies the bucket(s) with the maximum value of a specified metric in a sibling aggregation. It's useful for finding the "top" bucket based on a particular metric.

Syntax

{
  "max_bucket": {
    "buckets_path": "string"
  }
}

For detailed syntax and parameters, refer to the official Elasticsearch documentation.

Example Usage

{
  "aggs": {
    "sales_per_month": {
      "date_histogram": {
        "field": "date",
        "calendar_interval": "month"
      },
      "aggs": {
        "sales": {
          "sum": {
            "field": "price"
          }
        }
      }
    },
    "max_monthly_sales": {
      "max_bucket": {
        "buckets_path": "sales_per_month>sales"
      }
    }
  }
}

This example finds the month with the highest total sales.

Common Issues

  1. Incorrect buckets_path: Ensure the path correctly points to the metric in the sibling aggregation.
  2. Using with single-bucket aggregations: Max Bucket works only with multi-bucket aggregations.
  3. Null values: Be aware of how null values are handled in your data and aggregations.

Best Practices

  1. Use meaningful names for your aggregations to make buckets_path more readable.
  2. Consider using max_bucket in combination with min_bucket for a comprehensive analysis.
  3. When dealing with date histograms, be mindful of timezone settings to avoid unexpected results.

Frequently Asked Questions

Q: Can Max Bucket Aggregation work with nested aggregations?
A: Yes, Max Bucket Aggregation can work with nested aggregations. Use the > notation in the buckets_path to navigate through nested levels.

Q: How does Max Bucket Aggregation handle ties?
A: If multiple buckets have the same maximum value, Max Bucket Aggregation will return the first bucket it encounters with that value.

Q: Can I use Max Bucket Aggregation with non-numeric fields?
A: Max Bucket Aggregation works on the numeric result of a metric aggregation. The source field of that metric aggregation can be non-numeric, but the metric itself (e.g., count, sum) must produce a numeric result.

Q: Is it possible to get the top N buckets instead of just the maximum?
A: Max Bucket Aggregation only returns the single maximum. For top N results, consider using the Top Metrics Aggregation or a Bucket Sort Aggregation.

Q: How does Max Bucket Aggregation perform on large datasets?
A: Max Bucket Aggregation is generally efficient as it operates on already aggregated data. However, the performance depends on the number of buckets in the parent aggregation and the complexity of the metric calculation.

Pulse - Elasticsearch Operations Done Right

All the Elasticsearch support you'll ever need

Free Trial

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.