sql到es：在agg上获取限制页和订单结果

os8fio9y 于 2021-06-10 发布在 ElasticSearch

关注(0)|答案(1)|浏览(470)

SELECT
    max( timestamp ) AS first_time,
    min( timestamp ) AS last_time,
    src_ip,
    threat_target ,
    count(*) as count
FROM
    traffic 
GROUP BY
    src_ip,
    threat_target

ORDER BY
  first_time desc

LIMIT 0 ,10

我想得到这个结果，但我不知道怎么得到 limit size 在哪里使用 sort ```
{
"size": 0,
"aggregations": {
"src_ip": {
"aggregations": {
"threat_target": {
"aggregations": {
"last_time": {
"max": {
"field": "timestamp"
}
},
"first_time": {
"min": {
"field": "timestamp"
}
}
},
"terms": {
"field": "threat_target.keyword"
}
}
},
"terms": {
"field": "src_ip.keyword"
}

}
}

elasticsearch

来源：https://stackoverflow.com/questions/63967386/sql-to-es-get-limit-page-and-order-result-on-agg

1条答案

按热度按时间

y4ekin9u1#

在ElasticSearch中通常不支持聚合分页，但是，复合聚合提供了一种对聚合分页的方法。
与其他多bucket聚合不同，复合聚合可用于有效地对多级聚合中的所有bucket进行分页。
摘自复合聚合es文档。
check:this
除了“order by first\u time desc”，下面的查询应该可以正常运行。我不认为除了分组字段（src\u ip，threat\u target）之外的任何字段都可以排序。

GET traffic/_search
 {
 "size": 0,
 "aggs": {
 "my_bucket": {
 "composite": {
 "size": 2,  //<=========== PAGE SIZE
 /*"after":{   // <========== INCLUDE THIS FROM Second request onwards, passing after_key of the last output here for next page
   "src_ip" : "1.2.3.5",
   "threat_target" : "T3"
 },*/
 "sources": [
   {

     "src_ip": {
       "terms": {
         "field": "source_ip",
         "order": "desc"
       }
     }
   },
   {
     "threat_target": {
       "terms": {
         "field": "threat_target"
       }
     }
   }
 ]
 },
"aggs": {
 "first_time": {
   "max": {
     "field": "first_time"
   }
 }
 }
 }
 }
 }

赞(0）回复(0）举报 2021-06-11

我来回答

sql到es：在agg上获取限制页和订单结果

1条答案

相关问题

热门标签

最新问答