几个字段上的Elasticsearch聚合并推送到索引
几个字段上的Elasticsearch聚合并推送到索引
提问于 2022-01-20 19:43:53
我在ElasticSearch中有以下数据索引的文档-ip
"ipAddress": "ip-A", "timestamp": "Day 1, Month A", "value": 1
"ipAddress": "ip-A", "timestamp": "Day 2, Month A", "value": 2
"ipAddress": "ip-B", "timestamp": "Day 3, Month B", "value": 3
"ipAddress": "ip-B", "timestamp": "Day 4, Month B", "value": 4我如何编写一个查询,例如,为特定字段(即ipAddress )找到最大/分钟/平均值,然后创建一个新的聚合索引,比如agg ip:
"ipAddress": "ip-A", "month": "Month A", "max_value": 2
"ipAddress": "ip-B", "month": "Month B", "max_value": 4我检查了关于最大聚合的ES文档,但是不知道如何创建一个新的索引(或者将新的结果插入到现有的agg ip)。
任何帮助都是非常感谢的!
回答 1
Stack Overflow用户
发布于 2022-01-26 12:46:32
您可以使用术语聚合和顶级点击聚合,以实现所需的结果。
{
"size": 0,
"aggs": {
"ip-add-terms": {
"terms": {
"field": "ipAddress.keyword"
},
"aggs": {
"top_sales_hits": {
"top_hits": {
"sort": [
{
"value": {
"order": "desc"
}
}
],
"_source": {
"includes": [
"ipAddress",
"timestamp",
"value"
]
},
"size": 1
}
}
}
}
}
}结果将是
"aggregations" : {
"ip-add-terms" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "ip-A",
"doc_count" : 2,
"top_sales_hits" : {
"hits" : {
"total" : {
"value" : 2,
"relation" : "eq"
},
"max_score" : null,
"hits" : [
{
"_index" : "70792509",
"_type" : "_doc",
"_id" : "2",
"_score" : null,
"_source" : {
"ipAddress" : "ip-A",
"value" : 2,
"timestamp" : "Day 2, Month A"
},
"sort" : [
2
]
}
]
}
}
},
{
"key" : "ip-B",
"doc_count" : 2,
"top_sales_hits" : {
"hits" : {
"total" : {
"value" : 2,
"relation" : "eq"
},
"max_score" : null,
"hits" : [
{
"_index" : "70792509",
"_type" : "_doc",
"_id" : "4",
"_score" : null,
"_source" : {
"ipAddress" : "ip-B",
"value" : 4,
"timestamp" : "Day 4, Month B"
},
"sort" : [
4
]
}
]
}
}
}
]
}如果要创建具有聚合结果的新索引,则可以将顶部命中聚合的聚合结果的_source 部分索引到新索引中.。
根据这,不能将聚合结果推到新索引中。
的另一种方式是使用logstash并将结果存储到一个新的索引.中。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/70792509
复制相关文章
相似问题
腾讯云开发者
