Bird
Raised Fist0
Elasticsearchquery~10 mins

Application performance monitoring in Elasticsearch - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to query APM data for transactions.

Elasticsearch
{
  "query": {
    "match": {
      "[1]": "transaction"
    }
  }
}
Drag options to blanks, or click blank then click option'
Aevent.type
Buser.id
Chost.name
Dservice.name
Attempts:
3 left
💡 Hint
Common Mistakes
Using user.id instead of event.type causes no matching transactions.
Using host.name or service.name filters by host or service, not event type.
2fill in blank
medium

Complete the code to aggregate average transaction duration.

Elasticsearch
{
  "aggs": {
    "avg_duration": {
      "[1]": {
        "field": "transaction.duration.us"
      }
    }
  }
}
Drag options to blanks, or click blank then click option'
Amin
Bavg
Cmax
Dterms
Attempts:
3 left
💡 Hint
Common Mistakes
Using terms aggregation instead of avg causes a bucket aggregation, not a metric.
Using max or min returns wrong statistics.
3fill in blank
hard

Fix the error in the filter to select transactions longer than 1 second.

Elasticsearch
{
  "query": {
    "range": {
      "transaction.duration.us": {
        "[1]": 1000000
      }
    }
  }
}
Drag options to blanks, or click blank then click option'
Agte
Blt
Clte
Dgt
Attempts:
3 left
💡 Hint
Common Mistakes
Using lt or lte filters for shorter transactions.
Using gte includes transactions equal to 1 second, which may be acceptable but not the exact fix.
4fill in blank
hard

Fill both blanks to create a filter for errors with status code 500.

Elasticsearch
{
  "query": {
    "bool": {
      "must": [
        { "term": { "[1]": "error" } },
        { "term": { "[2]": 500 } }
      ]
    }
  }
}
Drag options to blanks, or click blank then click option'
Aevent.type
Btransaction.status
Cerror.status_code
Dhttp.response.status_code
Attempts:
3 left
💡 Hint
Common Mistakes
Using transaction.status instead of event.type misses error events.
Using http.response.status_code may not be present in error documents.
5fill in blank
hard

Fill all three blanks to create a dictionary comprehension that maps service names to average transaction durations over 2 seconds.

Elasticsearch
result = { [1]: [2] for [3] in services if [2] > 2000000 }
Drag options to blanks, or click blank then click option'
Aservice.name
Bavg_duration
Cservice
Dtransaction.duration.us
Attempts:
3 left
💡 Hint
Common Mistakes
Using transaction.duration.us as key or loop variable causes errors.
Using service as key instead of service.name results in wrong dictionary keys.

Practice

(1/5)
1. What is the main purpose of Application Performance Monitoring (APM) in Elasticsearch?
easy
A. To track application speed and detect errors
B. To store user login credentials securely
C. To manage Elasticsearch cluster nodes
D. To backup Elasticsearch indexes automatically

Solution

  1. Step 1: Understand APM's role

    APM is designed to monitor how fast an application runs and to find any errors it produces.

  2. Step 2: Match purpose with options

    Only To track application speed and detect errors describes tracking speed and errors, which fits APM's main goal.

  3. Final Answer:

    To track application speed and detect errors -> Option A

  4. Quick Check:

    APM purpose = Track speed and errors [OK]
Hint: APM = watch app speed and errors [OK]
Common Mistakes:
  • Confusing APM with security or backup tools
  • Thinking APM manages cluster nodes
  • Assuming APM stores user credentials
2. Which Elasticsearch query syntax correctly calculates the average response time from APM data?
easy
A. POST /apm-*/_update_by_query {"script": {"source": "ctx._source.duration = 0"}}
B. GET /apm-*/_search {"query": {"match_all": {}}, "size":10}
C. GET /apm-*/_search {"size":0, "aggs": {"avg_response_time": {"avg": {"field": "transaction.duration.us"}}}}
D. GET /apm-*/_search {"aggs": {"max_response_time": {"max": {"field": "transaction.duration.us"}}}}

Solution

  1. Step 1: Identify aggregation for average

    The query uses "avg" aggregation on the field "transaction.duration.us" which stores response times in microseconds.

  2. Step 2: Confirm query structure

    Size is 0 to avoid returning documents, focusing only on aggregation results, which is correct for average calculation.

  3. Final Answer:

    GET /apm-*/_search {"size":0, "aggs": {"avg_response_time": {"avg": {"field": "transaction.duration.us"}}}} -> Option C

  4. Quick Check:

    Average aggregation query = GET /apm-*/_search {"size":0, "aggs": {"avg_response_time": {"avg": {"field": "transaction.duration.us"}}}} [OK]
Hint: Average uses "avg" aggregation with size 0 [OK]
Common Mistakes:
  • Using match_all without aggregation
  • Using update_by_query instead of search
  • Using max aggregation instead of avg
3. Given this Elasticsearch aggregation query on APM data, what is the expected output? 
GET /apm-*/_search
{
  "size": 0,
  "aggs": {
    "avg_response_time": {
      "avg": { "field": "transaction.duration.us" }
    }
  }
}
medium
A. {"aggregations":{"max_response_time":{"value":500000}}}
B. {"hits":{"total":100}}
C. {"error":"Field not found"}
D. {"aggregations":{"avg_response_time":{"value":250000}}}

Solution

  1. Step 1: Understand aggregation type

    The query requests the average of the field "transaction.duration.us" which holds response times in microseconds.

  2. Step 2: Match output to aggregation

    The output shows an aggregation named "avg_response_time" with a numeric value representing the average, matching {"aggregations":{"avg_response_time":{"value":250000}}}.

  3. Final Answer:

    {"aggregations":{"avg_response_time":{"value":250000}}} -> Option D

  4. Quick Check:

    Average aggregation output = {"aggregations":{"avg_response_time":{"value":250000}}} [OK]
Hint: Aggregation output shows "aggregations" with average value [OK]
Common Mistakes:
  • Confusing hits total with aggregation result
  • Expecting max instead of avg
  • Assuming error without checking field existence
4. You run this Elasticsearch query to get average response time but get an error: Fielddata is disabled on text fields by default. What is the likely cause?
medium
A. Trying to aggregate on a text field instead of a numeric field
B. Using the wrong index pattern in the query
C. Missing authentication credentials
D. Query syntax error in aggregation block

Solution

  1. Step 1: Analyze error message

    The error says fielddata is disabled on text fields, which means aggregation was attempted on a text field.

  2. Step 2: Understand aggregation requirements

    Aggregations like average require numeric fields, so using a text field causes this error.

  3. Final Answer:

    Trying to aggregate on a text field instead of a numeric field -> Option A

  4. Quick Check:

    Fielddata error = Aggregation on text field [OK]
Hint: Average needs numeric field, not text [OK]
Common Mistakes:
  • Blaming index pattern or auth for this error
  • Assuming syntax error without checking field type
  • Ignoring field data type requirements
5. You want to monitor the average response time for your app but only for transactions with errors. Which Elasticsearch query snippet correctly filters and calculates this?
hard
A. { "size": 0, "query": { "term": { "error.id": "" } }, "aggs": { "avg_response_time": { "avg": { "field": "transaction.duration.us" } } } }
B. { "size": 0, "query": { "exists": { "field": "error.id" } }, "aggs": { "avg_response_time": { "avg": { "field": "transaction.duration.us" } } } }
C. { "size": 0, "query": { "match_all": {} }, "aggs": { "avg_response_time": { "avg": { "field": "transaction.duration.us" } } } }
D. { "size": 0, "query": { "term": { "transaction.status": "success" } }, "aggs": { "avg_response_time": { "avg": { "field": "transaction.duration.us" } } } }

Solution

  1. Step 1: Identify filter for transactions with errors

    Transactions with errors have a non-empty "error.id" field, so we use "exists" query on "error.id".

  2. Step 2: Confirm aggregation on filtered data

    The aggregation calculates average response time only on filtered documents, which is correct.

  3. Final Answer:

    { "size": 0, "query": { "exists": { "field": "error.id" } }, "aggs": { "avg_response_time": { "avg": { "field": "transaction.duration.us" } } } } -> Option B

  4. Quick Check:

    Filter errors with exists + avg aggregation = { "size": 0, "query": { "exists": { "field": "error.id" } }, "aggs": { "avg_response_time": { "avg": { "field": "transaction.duration.us" } } } } [OK]
Hint: Use exists query to filter error transactions [OK]
Common Mistakes:
  • Using empty term query instead of exists
  • Calculating average without filtering errors
  • Filtering for success instead of errors