elasticsearch最新n条记录的聚合

oymdgrw7  于 2021-07-13  发布在  ElasticSearch
关注(0)|答案(1)|浏览(445)

有没有办法对最新的n个记录进行聚合?
这个解决方案不起作用

{
   "query": {...},
   "size": N,
   "order": ...,
   "aggs": {
       ....
   }
}

有关更多详细信息:我想从“服务名称”字段为“x”的记录中获取最后10条记录,然后对这10条记录进行聚合,以找出其中有多少条记录在“响应代码”字段中“成功”。
我的数据是这样的:

[
  {
    "_index": "logs",
    "_type": "_doc",
    "_id": "1232525",
    "_score": 1,
    "_source": {
      "resp_body": "",
      "client_ip": "127.0.0.1",
      "resp_time": "2021-04-15T10:24:51+01:00",
      "@timestamp": "2021-04-15T05:55:00.452Z",
      "resp_code": "412",
      "service_name": "service1",
      "log_id": "1232525"
    }
  },
  {
    "_index": "logs",
    "_type": "_doc",
    "_id": "1232524",
    "_score": 1,
    "_source": {
      "resp_body": "",
      "client_ip": "127.0.0.1",
      "resp_time": "2021-04-15T10:23:51+01:00",
      "@timestamp": "2021-04-15T05:53:00.452Z",
      "resp_code": "0",
      "service_name": "service2",
      "log_id": "1232524"
    }
  },
  {
    "_index": "logs",
    "_type": "_doc",
    "_id": "1232523",
    "_score": 1,
    "_source": {
      "resp_body": "",
      "client_ip": "127.0.0.1",
      "resp_time": "2021-04-15T10:22:51+01:00",
      "@timestamp": "2021-04-15T05:52:00.452Z",
      "resp_code": "0",
      "service_name": "service1",
      "log_id": "1232523"
    }
  },
  {
    "_index": "logs",
    "_type": "_doc",
    "_id": "1232522",
    "_score": 1,
    "_source": {
      "resp_body": "",
      "client_ip": "127.0.0.1",
      "resp_time": "2021-04-15T10:21:51+01:00",
      "@timestamp": "2021-04-15T05:51:00.452Z",
      "resp_code": "0",
      "service_name": "service1",
      "log_id": "1232522"
    }
  },
  {
    "_index": "logs",
    "_type": "_doc",
    "_id": "1232521",
    "_score": 1,
    "_source": {
      "resp_body": "",
      "client_ip": "127.0.0.1",
      "resp_time": "2021-04-15T10:20:51+01:00",
      "@timestamp": "2021-04-15T05:50:00.452Z",
      "resp_code": "0",
      "service_name": "service2",
      "log_id": "1232521"
    }
  }
]

例如:我想得到最后2条“service\u name=service1”的记录,并找出其中有多少条“resp\u code=0”

elasticsearchFilterAggregation

1条答案

按热度按时间
ifsvaxew

ifsvaxew1#

您需要使用术语聚合、过滤器聚合和最大聚合的组合来实现所需的结果。
使用筛选器聚合( first_filter ),首先,过滤这些文档 "service_name=service1" 然后使用术语聚合( top_terms_aggregation )创建基于 log_id 现场。这些桶是分类的 desc 订单基于 @timestamp 字段(使用最大聚合)
再次使用过滤器聚合( second_filter ),这些文档被过滤掉 "resp_code=0" 添加一个工作示例,包括索引Map、数据(与问题相同)、搜索查询和搜索结果
索引Map:

{
  "mappings": {
    "properties": {
      "@timestamp": {
        "type": "date",
        "format": "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"
      }
    }
  }
}

搜索查询:

{
  "size": 0,
  "aggs": {
    "first_filter": {
      "filter": {
        "bool": {
          "must": [
            {
              "term": {
                "service_name.keyword": "service1"
              }
            }
          ]
        }
      },
      "aggs": {
        "top_terms_aggregation": {
          "terms": {
            "field": "log_id.keyword",
            "size": 10,
            "order": {
              "second_filter>latestRecord": "desc"
            }
          },
          "aggs": {
            "second_filter": {
              "filter": {
                "bool": {
                  "must": [
                    {
                      "term": {
                        "resp_code": "0"
                      }
                    }
                  ]
                }
              },
              "aggs": {
                "latestRecord": {
                  "max": {
                    "field": "@timestamp"
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}

搜索结果:

"aggregations": {
    "first_filter": {
      "doc_count": 3,
      "top_terms_aggregation": {
        "doc_count_error_upper_bound": 0,
        "sum_other_doc_count": 0,
        "buckets": [
          {
            "key": "1232523",
            "doc_count": 1,
            "second_filter": {
              "doc_count": 1,
              "latestOrder": {
                "value": 1.618465920452E12,
                "value_as_string": "2021-04-15T05:52:00.452Z"      // note this
              }
            }
          },
          {
            "key": "1232522",
            "doc_count": 1,
            "second_filter": {
              "doc_count": 1,
              "latestOrder": {
                "value": 1.618465860452E12,
                "value_as_string": "2021-04-15T05:51:00.452Z"          // note this
              }
            }
          },
          {
            "key": "1232525",
            "doc_count": 1,
            "second_filter": {
              "doc_count": 0,
              "latestOrder": {
                "value": null
              }
            }
          }
        ]
      }
    }
  }
赞(0)分享  回复(0)举报  2021-07-13
我来回答

相关问题

    查看更多
    微信公众号

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com