Did you find this helpful?
Constructing an Event History Search
This tutorial illustrates how to construct an Event History Search, the components of a search, and how to use Elastic Search syntax in your queries.
Let's start by looking at what we're working towards, a comparison of how much money goes through each payment provider in the most recent week.
Searches are constructed from three fields:
- the Query field
- the Group by field
- the Sum by field
The first field to edit will usually be the Query field, which is constructed by selecting an Event Type, a Start Date, and an End Date:
By editing anything within either the Event Type, the Start Date, or the End Date, the Query field itself will be constructed:
At this point, the search will result in showing only player_realmoney_purchase events:
By default, Group by will aggregate events by their event type. Here, we are only querying for a single event type. Instead, let's group by a property of the event. Looking at the documentation for the event, we can see that paymentProvider is a property:
Now, the chart shows the counts of how many events occurred for each group:
By default, Sum by will count the number of events per group. We can sum a property of the event instead. We could find a property by again looking at the event documentation. There is another way to see the properties of the events you query for though: looking at the event JSON itself.
We do this by clicking on the "Show JSON" button to the left of the event:
Now we can find for a value to compute with. Looking at the JSON, an appropriate value (a number value and not an ID) is "OrderTotal":
Let's set the Sum by to that value:
After searching again, we can see that our chart is now what we want:
We could be done here, but there's one issue -- If you want to save this search, the dates will still be the week of Aug 25 to Aug 31! We can do better by manually editing the Query field.
The constructed Query field uses elastic search syntax, meaning that you can use elastic search's features, such as logical operators (note the "AND" between "eventName" and "timestamp") in your queries. Or, what we want here, date math expressions.
We can directly substitute the dates in the Query field for relative dates:
Now, if we save the search:
When you select the search from your Saved Searches drop-down, your search will be reconstructed, and when you search, the dates will be relative to the current time.