Boxplot aggregation

Boxplot aggregation

A boxplot metrics aggregation that computes boxplot of numeric values extracted from the aggregated documents. These values can be generated from specific numeric or histogram fields in the documents.

The boxplot aggregation returns essential information for making a box plot: minimum, maximum, median, first quartile (25th percentile) and third quartile (75th percentile) values.

Syntax

A boxplot aggregation looks like this in isolation:

  1. {
  2. "boxplot": {
  3. "field": "load_time"
  4. }
  5. }

Let’s look at a boxplot representing load time:

  1. resp = client.search(
  2. index="latency",
  3. size=0,
  4. aggs={
  5. "load_time_boxplot": {
  6. "boxplot": {
  7. "field": "load_time"
  8. }
  9. }
  10. },
  11. )
  12. print(resp)
  1. response = client.search(
  2. index: 'latency',
  3. body: {
  4. size: 0,
  5. aggregations: {
  6. load_time_boxplot: {
  7. boxplot: {
  8. field: 'load_time'
  9. }
  10. }
  11. }
  12. }
  13. )
  14. puts response
  1. const response = await client.search({
  2. index: "latency",
  3. size: 0,
  4. aggs: {
  5. load_time_boxplot: {
  6. boxplot: {
  7. field: "load_time",
  8. },
  9. },
  10. },
  11. });
  12. console.log(response);
  1. GET latency/_search
  2. {
  3. "size": 0,
  4. "aggs": {
  5. "load_time_boxplot": {
  6. "boxplot": {
  7. "field": "load_time"
  8. }
  9. }
  10. }
  11. }

The field load_time must be a numeric field

The response will look like this:

  1. {
  2. ...
  3. "aggregations": {
  4. "load_time_boxplot": {
  5. "min": 0.0,
  6. "max": 990.0,
  7. "q1": 167.5,
  8. "q2": 445.0,
  9. "q3": 722.5,
  10. "lower": 0.0,
  11. "upper": 990.0
  12. }
  13. }
  14. }

In this case, the lower and upper whisker values are equal to the min and max. In general, these values are the 1.5 * IQR range, which is to say the nearest values to q1 - (1.5 * IQR) and q3 + (1.5 * IQR). Since this is an approximation, the given values may not actually be observed values from the data, but should be within a reasonable error bound of them. While the Boxplot aggregation doesn’t directly return outlier points, you can check if lower > min or upper < max to see if outliers exist on either side, and then query for them directly.

Script

If you need to create a boxplot for values that aren’t indexed exactly you should create a runtime field and get the boxplot of that. For example, if your load times are in milliseconds but you want values calculated in seconds, use a runtime field to convert them:

  1. resp = client.search(
  2. index="latency",
  3. size=0,
  4. runtime_mappings={
  5. "load_time.seconds": {
  6. "type": "long",
  7. "script": {
  8. "source": "emit(doc['load_time'].value / params.timeUnit)",
  9. "params": {
  10. "timeUnit": 1000
  11. }
  12. }
  13. }
  14. },
  15. aggs={
  16. "load_time_boxplot": {
  17. "boxplot": {
  18. "field": "load_time.seconds"
  19. }
  20. }
  21. },
  22. )
  23. print(resp)
  1. response = client.search(
  2. index: 'latency',
  3. body: {
  4. size: 0,
  5. runtime_mappings: {
  6. 'load_time.seconds' => {
  7. type: 'long',
  8. script: {
  9. source: "emit(doc['load_time'].value / params.timeUnit)",
  10. params: {
  11. "timeUnit": 1000
  12. }
  13. }
  14. }
  15. },
  16. aggregations: {
  17. load_time_boxplot: {
  18. boxplot: {
  19. field: 'load_time.seconds'
  20. }
  21. }
  22. }
  23. }
  24. )
  25. puts response
  1. const response = await client.search({
  2. index: "latency",
  3. size: 0,
  4. runtime_mappings: {
  5. "load_time.seconds": {
  6. type: "long",
  7. script: {
  8. source: "emit(doc['load_time'].value / params.timeUnit)",
  9. params: {
  10. timeUnit: 1000,
  11. },
  12. },
  13. },
  14. },
  15. aggs: {
  16. load_time_boxplot: {
  17. boxplot: {
  18. field: "load_time.seconds",
  19. },
  20. },
  21. },
  22. });
  23. console.log(response);
  1. GET latency/_search
  2. {
  3. "size": 0,
  4. "runtime_mappings": {
  5. "load_time.seconds": {
  6. "type": "long",
  7. "script": {
  8. "source": "emit(doc['load_time'].value / params.timeUnit)",
  9. "params": {
  10. "timeUnit": 1000
  11. }
  12. }
  13. }
  14. },
  15. "aggs": {
  16. "load_time_boxplot": {
  17. "boxplot": { "field": "load_time.seconds" }
  18. }
  19. }
  20. }

Boxplot values are (usually) approximate

The algorithm used by the boxplot metric is called TDigest (introduced by Ted Dunning in Computing Accurate Quantiles using T-Digests).

Boxplot as other percentile aggregations are also non-deterministic. This means you can get slightly different results using the same data.

Compression

Approximate algorithms must balance memory utilization with estimation accuracy. This balance can be controlled using a compression parameter:

  1. resp = client.search(
  2. index="latency",
  3. size=0,
  4. aggs={
  5. "load_time_boxplot": {
  6. "boxplot": {
  7. "field": "load_time",
  8. "compression": 200
  9. }
  10. }
  11. },
  12. )
  13. print(resp)
  1. response = client.search(
  2. index: 'latency',
  3. body: {
  4. size: 0,
  5. aggregations: {
  6. load_time_boxplot: {
  7. boxplot: {
  8. field: 'load_time',
  9. compression: 200
  10. }
  11. }
  12. }
  13. }
  14. )
  15. puts response
  1. const response = await client.search({
  2. index: "latency",
  3. size: 0,
  4. aggs: {
  5. load_time_boxplot: {
  6. boxplot: {
  7. field: "load_time",
  8. compression: 200,
  9. },
  10. },
  11. },
  12. });
  13. console.log(response);
  1. GET latency/_search
  2. {
  3. "size": 0,
  4. "aggs": {
  5. "load_time_boxplot": {
  6. "boxplot": {
  7. "field": "load_time",
  8. "compression": 200
  9. }
  10. }
  11. }
  12. }

Compression controls memory usage and approximation error

The TDigest algorithm uses a number of “nodes” to approximate percentiles — the more nodes available, the higher the accuracy (and large memory footprint) proportional to the volume of data. The compression parameter limits the maximum number of nodes to 20 * compression.

Therefore, by increasing the compression value, you can increase the accuracy of your percentiles at the cost of more memory. Larger compression values also make the algorithm slower since the underlying tree data structure grows in size, resulting in more expensive operations. The default compression value is 100.

A “node” uses roughly 32 bytes of memory, so under worst-case scenarios (large amount of data which arrives sorted and in-order) the default settings will produce a TDigest roughly 64KB in size. In practice data tends to be more random and the TDigest will use less memory.

Execution hint

The default implementation of TDigest is optimized for performance, scaling to millions or even billions of sample values while maintaining acceptable accuracy levels (close to 1% relative error for millions of samples in some cases). There’s an option to use an implementation optimized for accuracy by setting parameter execution_hint to value high_accuracy:

  1. resp = client.search(
  2. index="latency",
  3. size=0,
  4. aggs={
  5. "load_time_boxplot": {
  6. "boxplot": {
  7. "field": "load_time",
  8. "execution_hint": "high_accuracy"
  9. }
  10. }
  11. },
  12. )
  13. print(resp)
  1. response = client.search(
  2. index: 'latency',
  3. body: {
  4. size: 0,
  5. aggregations: {
  6. load_time_boxplot: {
  7. boxplot: {
  8. field: 'load_time',
  9. execution_hint: 'high_accuracy'
  10. }
  11. }
  12. }
  13. }
  14. )
  15. puts response
  1. const response = await client.search({
  2. index: "latency",
  3. size: 0,
  4. aggs: {
  5. load_time_boxplot: {
  6. boxplot: {
  7. field: "load_time",
  8. execution_hint: "high_accuracy",
  9. },
  10. },
  11. },
  12. });
  13. console.log(response);
  1. GET latency/_search
  2. {
  3. "size": 0,
  4. "aggs": {
  5. "load_time_boxplot": {
  6. "boxplot": {
  7. "field": "load_time",
  8. "execution_hint": "high_accuracy"
  9. }
  10. }
  11. }
  12. }

Optimize TDigest for accuracy, at the expense of performance

This option can lead to improved accuracy (relative error close to 0.01% for millions of samples in some cases) but then percentile queries take 2x-10x longer to complete.

Missing value

The missing parameter defines how documents that are missing a value should be treated. By default they will be ignored but it is also possible to treat them as if they had a value.

  1. resp = client.search(
  2. index="latency",
  3. size=0,
  4. aggs={
  5. "grade_boxplot": {
  6. "boxplot": {
  7. "field": "grade",
  8. "missing": 10
  9. }
  10. }
  11. },
  12. )
  13. print(resp)
  1. response = client.search(
  2. index: 'latency',
  3. body: {
  4. size: 0,
  5. aggregations: {
  6. grade_boxplot: {
  7. boxplot: {
  8. field: 'grade',
  9. missing: 10
  10. }
  11. }
  12. }
  13. }
  14. )
  15. puts response
  1. const response = await client.search({
  2. index: "latency",
  3. size: 0,
  4. aggs: {
  5. grade_boxplot: {
  6. boxplot: {
  7. field: "grade",
  8. missing: 10,
  9. },
  10. },
  11. },
  12. });
  13. console.log(response);
  1. GET latency/_search
  2. {
  3. "size": 0,
  4. "aggs": {
  5. "grade_boxplot": {
  6. "boxplot": {
  7. "field": "grade",
  8. "missing": 10
  9. }
  10. }
  11. }
  12. }

Documents without a value in the grade field will fall into the same bucket as documents that have the value 10.