彈性搜索基於日期的嵌套查詢過濾器未返回正確的結果
[英]elastic search Nested query filter based on date is not returning correct results
問題描述
我有嵌套查詢,其中我在過濾當前日期數據,然后使用具有小時間隔的日期直方圖聚合來匯總數據,但是在日期直方圖輸出中,它也返回前一天的數據。 過濾器不起作用?
這是我的查詢:
POST finalalertbrowser/_search?size=0
{
"query": {
"bool": {
"must": [{
"match_phrase": {
"projectId.keyword": "******************************88"
}
}],
"filter": {
"nested": {
"path": "errors",
"query": {
"bool": {
"filter":
{
"range": {
"errors.time": {
"gte": "now/d",
"lte": "now"
}
}
}
}
}
}
}
}
},
"aggs": {
"errorData": {
"nested": {
"path": "errors"
},
"aggs": {
"errorMsg": {
"filter": {
"term": {
"errors.errMsg.keyword": "Uncaught TypeError: $.snapUpdate is not a function"
}
},
"aggs": {
"hourlyData": {
"date_histogram": {
"field": "errors.time",
"interval": "hour",
"time_zone": "+05:30"
}
}
}
}
}
}
}
}
查詢的輸出為:
"aggregations": {
"errorData": {
"doc_count": 89644,
"errorMsg": {
"doc_count": 1861,
"hourlyData": {
"buckets": [
{
"key_as_string": "2018-03-13T11:00:00.000+05:30",
"key": 1520919000000,
"doc_count": 3
},
{
"key_as_string": "2018-03-13T12:00:00.000+05:30",
"key": 1520922600000,
"doc_count": 2
},
{
"key_as_string": "2018-03-13T13:00:00.000+05:30",
"key": 1520926200000,
"doc_count": 2
},
{
"key_as_string": "2018-03-13T14:00:00.000+05:30",
"key": 1520929800000,
"doc_count": 2
},
{
"key_as_string": "2018-03-13T15:00:00.000+05:30",
"key": 1520933400000,
"doc_count": 4
},
{
"key_as_string": "2018-03-13T16:00:00.000+05:30",
"key": 1520937000000,
"doc_count": 8
},
{
"key_as_string": "2018-03-13T17:00:00.000+05:30",
"key": 1520940600000,
"doc_count": 6
},
{
"key_as_string": "2018-03-13T18:00:00.000+05:30",
"key": 1520944200000,
"doc_count": 3
},
{
"key_as_string": "2018-03-13T19:00:00.000+05:30",
"key": 1520947800000,
"doc_count": 1
},
{
"key_as_string": "2018-03-13T20:00:00.000+05:30",
"key": 1520951400000,
"doc_count": 2
},
{
"key_as_string": "2018-03-13T21:00:00.000+05:30",
"key": 1520955000000,
"doc_count": 4
},
{
"key_as_string": "2018-03-13T22:00:00.000+05:30",
"key": 1520958600000,
"doc_count": 3
},
{
"key_as_string": "2018-03-13T23:00:00.000+05:30",
"key": 1520962200000,
"doc_count": 2
},
{
"key_as_string": "2018-03-14T00:00:00.000+05:30",
"key": 1520965800000,
"doc_count": 1
},
{
"key_as_string": "2018-03-14T01:00:00.000+05:30",
"key": 1520969400000,
"doc_count": 2
},
{
"key_as_string": "2018-03-14T02:00:00.000+05:30",
"key": 1520973000000,
"doc_count": 1
},
{
"key_as_string": "2018-03-14T03:00:00.000+05:30",
"key": 1520976600000,
"doc_count": 1
},
{
"key_as_string": "2018-03-14T04:00:00.000+05:30",
"key": 1520980200000,
"doc_count": 2
},
{
"key_as_string": "2018-03-14T05:00:00.000+05:30",
"key": 1520983800000,
"doc_count": 2
},
{
"key_as_string": "2018-03-14T11:00:00.000+05:30",
"key": 1521005400000,
"doc_count": 349
},
{
"key_as_string": "2018-03-14T12:00:00.000+05:30",
"key": 1521009000000,
"doc_count": 300
},
{
"key_as_string": "2018-03-14T13:00:00.000+05:30",
"key": 1521012600000,
"doc_count": 258
},
{
"key_as_string": "2018-03-14T14:00:00.000+05:30",
"key": 1521016200000,
"doc_count": 247
},
{
"key_as_string": "2018-03-14T15:00:00.000+05:30",
"key": 1521019800000,
"doc_count": 144
},
{
"key_as_string": "2018-03-14T16:00:00.000+05:30",
"key": 1521023400000,
"doc_count": 63
},
{
"key_as_string": "2018-03-14T17:00:00.000+05:30",
"key": 1521027000000,
"doc_count": 30
}
]
}
}
}
}
我已經在2018年3月14日執行了查詢,但是查詢給出了2018年3月13日的輸出。
下面是映射命令:
PUT myIndexName
{
"mappings": {
"webbrowsererror": {
"properties": {
"errors": {
"type": "nested" ,
"properties": {
"time":{"type":"date"}
}
}
}
}
}
}
以下是索引中的樣本記錄:
_source": {
"projectId": "******************",
"sId": "bt82x3g8v1505001600027",
"pId": "bt82x3g8v1505001600027.1",
"pageURL": "***************************",
"startTime": 1505001600027,
"country": "unknown",
"size": 2,
"errors": [
{
"sid": "bt82x3g8v1505001600027",
"pid": "bt82x3g8v1505001600027.1",
"browser": "Googlebot",
"time": 1505001600028,
"errMsg": "Uncaught SyntaxError: Invalid regular expression: missing /",
"url": "********************************",
"lineNo": 161,
"colNo": 54
},
{
"sid": "bt82x3g8v1505001600027",
"pid": "bt82x3g8v1505001600027.1",
"browser": "Googlebot",
"time": 1505001600058,
"errMsg": "Uncaught Error: Syntax error, unrecognized expression: #!",
"url": "************************************************************",
"lineNo": 3,
"colNo": 69
}
]
}
"_source": {
"projectId": "shaan-shaanstack-1-1517388493060",
"sId": "bt82x3g8v1502496000027",
"pId": "bt82x3g8v1502496000027.1",
"startTime": 1502496000027,
"country": "US",
"size": 1,
"errors": [
{
"sid": "bt82x3g8v1502496000027",
"pid": "bt82x3g8v1502496000027.1",
"browser": "Chrome Mobile",
"time": 1502496000128,
"errMsg": "Uncaught Error: Syntax error, unrecognized expression: #!",
"url": "**************************************************",
"lineNo": 2,
"colNo": 69
}
]
}
"_source": {
"projectId": null,
"sId": "888888888888888",
"pId": "bt82x3g8v1505001600027.1",
"pageURL": "******************",
"startTime": 1505001600027,
"country": "unknown",
"size": 2,
"errors": [
{
"sid": "bt82x3g8v1505001600027",
"pid": "bt82x3g8v1505001600027.1",
"browser": "Googlebot",
"time": 1505001600028,
"errMsg": "Uncaught SyntaxError: Invalid regular expression: missing /",
"url": "***********************************",
"lineNo": 170,
"colNo": 54
},
{
"sid": "bt82x3g8v1505001600027",
"pid": "bt82x3g8v1505001600027.1",
"browser": "Googlebot",
"time": 1505001600082,
"errMsg": "Uncaught Error: Syntax error, unrecognized expression: #!",
"url": "***********************************",
"lineNo": 3,
"colNo": 69
}
]
}
2 個解決方案
解決方案1
1 2018-03-14 23:32:04
我相信您的查詢有幾個問題:
- 對於projectID,您想使用
terms查詢來獲得完全匹配 - 您的
nested查詢應在bool/must子句中
試試看(注意:我排除了聚合部分):
{
"sort": [
{
"errors.time": {
"order": "asc"
}
}
],
"query": {
"bool": {
"must": [
{
"term": {
"projectId.keyword": {
"value": "******************************88"
}
}
},
{
"nested": {
"path": "errors",
"query": {
"range": {
"errors.time": {
"gte": "now/d",
"lte": "now"
}
}
}
}
}
]
}
}
}
確認查詢僅返回正確的數據后,即可添加回聚合中
解決方案2
1 已采納 2018-03-22 15:39:46
您需要將嵌套字段視為父記錄的一部分。 讓我們以下面的示例為例,我插入一條具有2個嵌套屬性的記錄,一條記錄的時間為“ 2018-01-01T00:00:00Z”,一條記錄的時間為“ 2018-01-02T00:00:00Z”
插入命令:
POST jaytest/webbrowsererror
{
"projectId": "******************",
"sId": "bt82x3g8v1505001600027",
"pId": "bt82x3g8v1505001600027.1",
"pageURL": "***************************",
"startTime": 1505001600027,
"country": "unknown",
"size": 2,
"errors": [
{
"sid": "bt82x3g8v1505001600027",
"pid": "bt82x3g8v1505001600027.1",
"browser": "Googlebot",
"time": "2018-01-01T00:00:00Z",
"errMsg": "Uncaught SyntaxError: Invalid regular expression: missing /",
"url": "********************************",
"lineNo": 161,
"colNo": 54
},
{
"sid": "bt82x3g8v1505001600027",
"pid": "bt82x3g8v1505001600027.1",
"browser": "Googlebot",
"time": "2018-01-02T00:00:00Z",
"errMsg": "Uncaught Error: Syntax error, unrecognized expression: #!",
"url": "************************************************************",
"lineNo": 3,
"colNo": 69
}
]
}
現在,我可以對此進行查詢並說“僅返回我的error.time為> =“ 2018-01-02T00:00:00Z”的記錄”
GET jaytest/webbrowsererror/_search
{
"query": {
"bool": {
"must": [
{
"nested": {
"path": "errors",
"query": {
"range": {
"errors.time": {
"gte": "2018-01-02T00:00:00Z"
}
}
}
}
}
]
}
}
}
當您運行該查詢時,您會注意到它返回了我插入的單個父記錄,但同時包含了兩個嵌套的“錯誤”。 那是因為您要查詢父記錄。
我想按照想要的方式對數據進行切片,我認為正確的方法是擺脫嵌套的“錯誤”字段,而是將每個錯誤都索引為自己的文檔(而不是父文檔的嵌套子級)。
彈性搜索查詢根據嵌套數組的最高值過濾文檔
[英]Elastic search query to filter documents based on the top value of nested array
彈性搜索嵌套查詢-如何僅基於嵌套文檔的第一個實例進行過濾以回答過濾器
[英]Elastic search nested query - how to filter based only on first instance of nested document to answer filter
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.