Date_histogram Elasticsearch构面找不到字段
[英]Date_histogram Elasticsearch facet can't find field
问题描述
I am using the date_histogram facet to find results based on a Epoch timestamp. 
我正在使用date_histogram构面来查找基于纪元时间戳的结果。 The results are displayed on a histogram, with the date on the x-axis and count of events on the y-axis. 结果显示在直方图上,日期在x轴上,事件计数在y轴上。 Here is the code that I have that doesn't work: 这是我不起作用的代码:
angular.module('controllers', [])
.controller('FacetsController', function($scope, $http) {
var payload = {
query: {
match: {
run_id: '9'
}
},
facets: {
date: {
date_histogram: {
field: 'event_timestamp',
factor: '1000',
interval: 'second'
}
}
}
}
It works if I am using field: '@timestamp' which is in ISO8601 format; 如果我使用的是ISO8601格式的字段'@timestamp',它会起作用; however, I need it to now work with Epoch timestamps. 但是,我现在需要它来与Epoch时间戳一起使用。
Here is an example of what's in my Elasticsearch, maybe this can lead to some answers: 这是我的Elasticsearch中的示例,可能会导致一些答案:
{"@version":"1",
"@timestamp":"2014-07-04T13:13:35.372Z","type":"automatic",
"installer_version":"0.3.0",
"log_type":"access.log","user_id":"1",
"event_timestamp":"1404479613","run_id":"9"}
},
When I run this, I receive this error: POST 400 (Bad Request) 运行此命令时,出现以下错误: POST 400 (Bad Request)
Any ideas as to what could be wrong here? 关于这里可能出什么问题的任何想法? I don't understand why I'd have such a difference from using the two different fields, as the only difference is the format. 我不明白为什么我与使用两个不同的字段会有如此不同,因为唯一的区别是格式。 I researched as best I could and discovered I should be using 'factor', but that didn't seem to solve my problem. 我尽了最大的努力研究,发现我应该使用“因子”,但这似乎并不能解决我的问题。 I am probably making a silly beginner mistake! 我可能在犯一个愚蠢的初学者错误!
1 个解决方案
解决方案1
0 已采纳 2014-07-05 08:27:05
You need to set the indexing initially. 您需要首先设置索引。 Elasticsearch is good at defaults but it is not possible for it to determine if the provided value is a timestamp, integer or string. Elasticsearch擅长使用默认值,但无法确定所提供的值是时间戳,整数还是字符串。 So its your job to tell Elasticsearch about the same. 因此,将相同的事情告诉Elasticsearch是您的工作。
Let me explain by example. 让我举例说明。 Lets consider the following document is what you are trying to index: 让我们考虑以下文档是您要索引的内容:
{
"@version": "1",
"@timestamp": "2014-07-04T13:13:35.372Z",
"type": "automatic",
"installer_version": "0.3.0",
"log_type": "access.log",
"user_id": "1",
"event_timestamp": "1404474613",
"run_id": "9"
}
So initially you don't have an index and you index your document by making an HTTP request like so: 因此,最初您没有索引,而是通过发出HTTP请求来索引文档,如下所示:
POST /test/date_experiments
{
"@version": "1",
"@timestamp": "2014-07-04T13:13:35.372Z",
"type": "automatic",
"installer_version": "0.3.0",
"log_type": "access.log",
"user_id": "1",
"event_timestamp": "1404474613",
"run_id": "9"
}
This creates a new index called test and a new doc type in index test called date_experiments . 这将创建一个称为test的新索引和一个名为date_experiments索引test的新doc类型。
You can check the mapping of this doc type date_experiments by doing so: 您可以通过以下方式检查此文档类型date_experiments的映射:
GET /test/date_experiments/_mapping
And what you get in the result is an auto-generated mapping that was generated by Elasticsearch: 结果中得到的是由Elasticsearch生成的自动生成的映射:
{
"test": {
"date_experiments": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"@version": {
"type": "string"
},
"event_timestamp": {
"type": "string"
},
"installer_version": {
"type": "string"
},
"log_type": {
"type": "string"
},
"run_id": {
"type": "string"
},
"type": {
"type": "string"
},
"user_id": {
"type": "string"
}
}
}
}
}
Notice that the type of event_timestamp field is set to string . 请注意, event_timestamp字段的类型设置为string 。 Which is why your date_histogram is not working. 这就是为什么您的date_histogram无法正常工作的原因。 Also notice that the type of @timestamp field is already date because you pushed the date in the standard format which made easy for Elasticsearch to recognize your intention was to push a date in that field. 还要注意, @timestamp字段的类型已经是date因为您以标准格式推送了日期,这使Elasticsearch容易识别出您打算在该字段中推送日期。
Drop this mapping by sending a DELETE request to /test/date_experiments and lets start from the beginning. 通过向/test/date_experiments发送DELETE请求来删除此映射,并从头开始。
This time instead of pushing the document first, we will make the mapping according to our requirements so that our event_timestamp field is considered as a date. 这一次而不是先推送文档,而是根据需求进行映射,以便将event_timestamp字段视为日期。
Make the following HTTP request: 发出以下HTTP请求:
PUT /test/date_experiments/_mapping
{
"date_experiments": {
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "string"
},
"event_timestamp": {
"type": "date"
},
"installer_version": {
"type": "string"
},
"log_type": {
"type": "string"
},
"run_id": {
"type": "string"
},
"type": {
"type": "string"
},
"user_id": {
"type": "string"
}
}
}
}
Notice that I have changed the type of event_timestamp field to date . 注意,我已将event_timestamp字段的类型更改为date 。 I have not specified a format because Elasticsearch is good at understanding a few standard formats like in the case of @timestamp field where you pushed a date. 我没有指定格式,因为Elasticsearch善于理解一些标准格式,例如@timestamp字段中您输入日期的情况。 In this case, Elasticsearch will be able to understand that you are trying to push a UNIX timestamp and convert it internally to treat it as a date and allow all date operations on it. 在这种情况下,Elasticsearch将能够理解您正在尝试推送UNIX时间戳并在内部对其进行转换,以将其视为日期并允许对其进行所有日期操作。 You can specify a date format in the mapping just in case the dates you are pushing are not in any standard formats. 您可以在映射中指定日期格式,以防万一您要推送的日期不是任何标准格式。
Now you can start indexing your documents and starting running your date queries and facets the same way as you were doing earlier. 现在,您可以像以前一样开始为文档建立索引并开始运行日期查询和构面。
You should read more about mapping and date format . 您应该阅读有关映射和日期格式的更多信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.