elasticsearch 获取嵌套聚合对象的最大值

q43xntqr  于 5个月前  发布在  ElasticSearch
关注(0)|答案(1)|浏览(51)

我有这样一个doc结构:

{
    "_index": "infra-metrics",
    "_id": "C4-XIIwBNCt3Y4ACckwp",
    "_score": 1,
    "_source": {
      "resourceId": "e5735563-2b4c-46e9-a38d-4728a5617ebc",
      "tenantId": "d7842881-31c9-4974-bc87-7a621ba440a5",
      "timestamp": "2023-11-30T14:17:24.627",
      "points": [
        {
          "measurement": "win_logical_disk",
          "precison": "MILLISECONDS",
          "size": 1000186310656,
          "free": 173625864192,
          "name": "C:",
          "load": 83
        },
        {
          "measurement": "win_logical_disk",
          "precison": "MILLISECONDS",
          "size": 999559262208,
          "free": 554817146880,
          "name": "D:",
          "load": 44
        }
      ]
    }
  }

字符串
我需要过去29天内每天每个磁盘的最大负载,如何才能实现?
我首先想到了这个问题:

{
  "size": 0, 
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "timestamp": {
              "gte": "now-29d/d",
              "lte": "now/d"
            }
          }
        },
        {
          "term": {
            "resourceId.keyword": {
              "value": "e5735563-2b4c-46e9-a38d-4728a5617ebc"
            }
          }
        },
        {
          "term": {
            "tenantId.keyword": {
              "value": "d7842881-31c9-4974-bc87-7a621ba440a5"
            }
          }
        },
        {
          "bool": {
            "should": [
              {
                "term": {
                  "points.measurement.keyword": {
                    "value": "win_logical_disk"
                  }
                }
              },
              {
                "term": {
                  "points.measurement.keyword": {
                    "value": "lnx_logical_disk"
                  }
                }
              },
              {
                "term": {
                  "points.measurement.keyword": {
                    "value": "ibmi_asp"
                  }
                }
              }
            ]
          }
        }
      ]
    }
  },
  "aggs": {
    "date_histogram": {
      "date_histogram": {
        "field": "timestamp",
        "calendar_interval": "day",
        "extended_bounds": {
          "min": "now-29d/d",
          "max": "now/d"
        }
      },
      "aggs": {
        "disk": {
          "terms": {
            "field": "points.name.keyword"
          },
          "aggs": {
            "max": {
              "max": {
                "field": "points.load"
              }
            }
          }
        }
      }
    }
  }
}


假设我今天只有一个文档,就是我上面提供的那个。如果我运行上面的查询,它会返回以下内容:

{
      "key_as_string": "2023-11-30T00:00:00.000Z",
      "key": 1701302400000,
      "doc_count": 13,
      "disk": {
        "doc_count_error_upper_bound": 0,
        "sum_other_doc_count": 0,
        "buckets": [
          {
            "key": "C:",
            "doc_count": 13,
            "max": {
              "value": 83
            }
          },
          {
            "key": "D:",
            "doc_count": 13,
            "max": {
              "value": 83
            }
          }
        ]
      }
    }


但我希望查询返回:
对于“C:“:83对于“D:“:44
我知道为什么它不起作用,但我不知道怎么做。
有什么想法吗?
谢谢

elasticsearch

1条答案

按热度按时间
llew8vvj

llew8vvj1#

原因是您使用的是object字段类型。如果您使用nested字段类型,该问题将得到修复。有关详细信息,请检查此article
下面是一些关于对象与嵌套的有用信息:
当子字段的结构很重要,但它们之间的关系不重要时,使用对象字段。它们作为单独的独立字段进行索引,可以独立查询。但是,如果需要维护子字段之间的关系,对象字段可能不适合,因为它们不保持子字段之间的相关性。
另一方面,当您需要维护子字段之间的关系时,可以使用嵌套字段。它们被索引为单独的隐藏文档,这允许查询维护子字段之间的关系。当您有对象数组并且想要查询与多个条件匹配的对象时,这特别有用。
这里有一个例子给你。

PUT measurement/_doc/1
{
  "resourceId": "e5735563-2b4c-46e9-a38d-4728a5617ebc",
  "tenantId": "d7842881-31c9-4974-bc87-7a621ba440a5",
  "timestamp": "2023-11-30T14:17:24.627",
  "points": [
    {
      "measurement": "win_logical_disk",
      "precison": "MILLISECONDS",
      "size": 1000186310656,
      "free": 173625864192,
      "name": "C:",
      "load": 83
    },
    {
      "measurement": "win_logical_disk",
      "precison": "MILLISECONDS",
      "size": 999559262208,
      "free": 554817146880,
      "name": "D:",
      "load": 44
    }
  ]
}
GET measurement/_search
{
  "size": 0,
  "aggs": {
    "date_histogram": {
      "date_histogram": {
        "field": "timestamp",
        "calendar_interval": "day",
        "extended_bounds": {
          "min": "now-29d/d",
          "max": "now/d"
        }
      },
      "aggs": {
        "disk": {
          "terms": {
            "field": "points.name.keyword"
          },
          "aggs": {
            "max": {
              "max": {
                "field": "points.load"
              }
            }
          }
        }
      }
    }
  }
}
PUT measurement_nested
{
  "mappings": {
    "properties": {
      "points": {
        "type": "nested"
      }
    }
  }
}
POST _reindex
{
  "source": {
    "index": "measurement"
  },
  "dest": {
    "index": "measurement_nested"
  }
}
GET measurement_nested/_search
{
  "size": 0,
  "aggs": {
    "date_histogram": {
      "date_histogram": {
        "field": "timestamp",
        "calendar_interval": "day",
        "extended_bounds": {
          "min": "now-29d/d",
          "max": "now/d"
        }
      },
      "aggs": {
        "disk": {
          "nested": {
            "path": "points"
          },
          "aggs": {
            "NAME": {
              "terms": {
                "field": "points.name.keyword"
              },
              "aggs": {
                "max": {
                  "max": {
                    "field": "points.load"
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}


的数据

赞(0)分享  回复(0)举报  5个月前
我来回答

相关问题

    查看更多
    微信公众号

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com