[[search-aggregations-bucket-time-series-aggregation]] === Time series aggregation ++++ Time series ++++ preview::[] The time series aggregation queries data created using a time series index. This is typically data such as metrics or other data streams with a time component, and requires creating an index using the time series mode. ////////////////////////// Creating a time series mapping To create an index with the time series mapping, specify "mode" as "time_series" in the index settings, "routing_path" specifying the a list of time series fields, and a start and end time for the series. Each of the "routing_path" fields must be keyword fields with "time_series_dimension" set to true. Additionally, add a date field used as the timestamp. [source,js] -------------------------------------------------- PUT /my-time-series-index { "settings": { "index": { "number_of_shards": 3, "number_of_replicas": 2, "mode": "time_series", "routing_path": ["key"], "time_series": { "start_time": "2022-01-01T00:00:00Z", "end_time": "2023-01-01T00:00:00Z" } } }, "mappings": { "properties": { "key": { "type": "keyword", "time_series_dimension": true }, "@timestamp": { "type": "date" } } } } ------------------------------------------------- // NOTCONSOLE ////////////////////////// Data can be added to the time series index like other indices: [source,js] -------------------------------------------------- PUT /my-time-series-index-0/_bulk { "index": {} } { "key": "a", "val": 1, "@timestamp": "2022-01-01T00:00:10Z" } { "index": {}} { "key": "a", "val": 2, "@timestamp": "2022-01-02T00:00:00Z" } { "index": {} } { "key": "b", "val": 2, "@timestamp": "2022-01-01T00:00:10Z" } { "index": {}} { "key": "b", "val": 3, "@timestamp": "2022-01-02T00:00:00Z" } -------------------------------------------------- // NOTCONSOLE To perform a time series aggregation, specify "time_series" as the aggregation type. When the boolean "keyed" is true, each bucket is given a unique key. [source,js,id=time-series-aggregation-example] -------------------------------------------------- GET /_search { "aggs": { "ts": { "time_series": { "keyed": false } } } } -------------------------------------------------- // NOTCONSOLE This will return all results in the time series, however a more typical query will use sub aggregations to reduce the date returned to something more relevant. [[search-aggregations-bucket-time-series-aggregation-size]] ==== Size By default, `time series` aggregations return 10000 results. The "size" parameter can be used to limit the results further. Alternatively, using sub aggregations can limit the amount of values returned as a time series aggregation. [[search-aggregations-bucket-time-series-aggregation-keyed]] ==== Keyed The `keyed` parameter determines if buckets are returned as a map with unique keys per bucket. By default with `keyed` set to false, buckets are returned as an array. [[times-series-aggregations-limitations]] ==== Limitations The `time_series` aggregation has many limitations. Many aggregation performance optimizations are disabled when using the `time_series` aggregation. For example the filter by filter optimization or collect mode breath first (`terms` and `multi_terms` aggregation forcefully use the depth first collect mode). The following aggregations also fail to work if used in combination with the `time_series` aggregation: `auto_date_histogram`, `variable_width_histogram`, `rare_terms`, `global`, `composite`, `sampler`, `random_sampler` and `diversified_sampler`.