我正在尝试为另一个字段的多个值的字段的最大值之和做一个日期历史记录.以下是两个匹配文档的示例:
{
"_index": "logstash-2014.02.06",
"_type": "xyz",
"_id": "HZ_2oaGvQvKWvsOLyYrGrw",
"_score": 1,
"_source": {
"@version": "1",
"@timestamp": "2014-02-05T16:01:01.260-08:00",
"type": "xyz",
"host": "compute-4.lab.solinea.com",
"received_at": "2014-02-05 21:01:01 UTC",
"received_from": "10.10.11.33",
"total_widgets": 24,
}
},
{
"_index": "logstash-2014.02.06",
"_type": "xyz",
"_id": "HZ_2oaGvQvKWvsOLyYrGrx",
"_score": 1,
"_source": {
"@version": "1",
"@timestamp": "2014-02-05T16:01:01.260-08:00",
"type": "xyz",
"host": "compute-3.lab.solinea.com",
"received_at": "2014-02-05 21:01:01 UTC",
"received_from": "10.10.11.32",
"total_widgets": 13,
}
}
在这种情况下,我正在寻找此日期存储区的唯一主机的总和(max(total_widgets)).我正在尝试一个日期组合图,但没有得到我想要的东西.在这个例子中:
{
"query": {
"range": {
"@timestamp": {
"gte": "2014-02-05T00:00:00+00:00",
"lte": "2014-03-05T00:00:00+00:00"
}
}
},
"facets": {
"total_widgets_facet": {
"date_histogram": {
"key_field": "@timestamp",
"value_field": "total_widgets",
"interval": "hour"
},
"facet_filter": {
"term": {
"type": "xyz"
}
}
}
}
}
我得到了最大值24,但我还没有完全了解如何构造查询和方面,以便我查看时间桶中所有唯一主机的"total_widgets"的最大值.
我非常感谢任何建议......
我没有找到使用Elasticsearch 0.90.x执行此操作的有效方法,但以下查询是如何在1.0.x中使用聚合来实现所需结果的示例:
{
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": "2014-02-07T00:00:00.000-00:00",
"to": "2014-02-07T23:59:59.999-00:00"
}
}
},
{
"term": {
"type": "xyz"
}
}
]
}
},
"aggs": {
"events_by_host": {
"terms": {
"field": "host.raw"
},
"aggs": {
"events_by_date": {
"date_histogram": {
"field": "@timestamp",
"interval": "hour"
},
"aggs": {
"max_total_widgets": {
"max": {
"field": "total_widgets"
}
},
"avg_total_widgets": {
"avg": {
"field": "total_widgets"
}
}
}
}
}
}
}
}
我在这里写了一篇关于这个主题的博客文章: Elasticsearch Aggs拯救了这一天
| 归档时间: |
|
| 查看次数: |
3213 次 |
| 最近记录: |