ElasticSearch Aggregation Group按子条款排序字段文档数
[英]ElasticSearch Aggregation Group by order by sub terms field doc count
问题描述
My mapping model: 
我的映射模型:
// TypeLog: Error, Info, Warn // TypeLog:错误,信息,警告
{
"onef-sora": {
"mappings": {
"Log": {
"properties": {
"application": {
"type": "string",
"index": "not_analyzed"
}
"typeLog": {
"type": "string"
}
}
}
}
}
}
My query: 我的查询:
{
"size": 0,
"aggs": {
"application": {
"terms": {
"field": "application",
"order" : { "_count" : "desc"},
"size": 5
},
"aggs": {
"typelogs": {
"terms": {
"field": "typeLog",
"order" : { "_term" : "asc"}
}
}
}
}
}
}
I want get top 5 application has most error, but term aggregation order support three key : _count, _term, _key. 我想让前5个应用程序出错最多,但是术语聚合顺序支持三个键:_count,_term,_key。 How do I order by typeLog doc_count in my query. 如何在查询中按typeLog doc_count排序。 Thanks !!! 谢谢 !!!
Result I want: 结果我想要:
{
"took": 3,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 10000,
"max_score": 0,
"hits": []
},
"aggregations": {
"application": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 5000,
"buckets": [
{
"key": "OneF0",
"doc_count": 1000,
"typelogs": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "error",
"doc_count": 334
},
{
"key": "info",
"doc_count": 333
},
{
"key": "warn",
"doc_count": 333
}
]
}
},
{
"key": "OneF1",
"doc_count": 1000,
"typelogs": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "error",
"doc_count": 333
},
{
"key": "info",
"doc_count": 334
},
{
"key": "warn",
"doc_count": 333
}
]
}
},
{
"key": "OneF2",
"doc_count": 1000,
"typelogs": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "error",
"doc_count": 332
},
{
"key": "info",
"doc_count": 333
},
{
"key": "warn",
"doc_count": 334
}
]
}
}
]
}
}
}
1 个解决方案
解决方案1
0 2015-10-26 08:43:46
As you to get the top 5 applications with most errors, you can filter to keep only error logs in query (you could use a filter). 当您获得错误最多的前5个应用程序时,可以进行过滤以仅将错误日志保留在查询中(可以使用过滤器)。 Then you only need order you sub-term aggregation by descending count 然后,您只需要通过递减计数来排序子项聚合
{
"size": 0,
"query": {
"term": {
"typeLog": "Error"
}
},
"aggs": {
"application": {
"terms": {
"field": "application",
"order": {
"_count": "desc"
},
"size": 5
},
"aggs": {
"typelogs": {
"terms": {
"field": "typeLog",
"order": {
"_count": "desc"
}
}
}
}
}
}
}
To keep all typeLogs, you may need to perform your query the other way 要保留所有typeLogs,您可能需要以其他方式执行查询
{
"size": 0,
"aggs": {
"typelogs": {
"terms": {
"field": "typeLog",
"order": {
"_count": "asc"
}
},
"aggs": {
"application": {
"terms": {
"field": "application",
"order": {
"_count": "desc"
},
"size": 5
}
}
}
}
}
}
You will have 3 first level buckets, the the top 5 applications by type of log 您将拥有3个第一级存储桶,按日志类型排名前5位的应用程序
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.