日期之間的Elasticsearch聚合字段
[英]Elasticsearch aggregate field between dates
問題描述
我想將兩個存儲桶相互比較,並找到出現在第二個存儲桶中的新事件。 以下查詢返回提供的兩個UNIX時間戳之間的“ query.keyword”字段中的所有條目,但我希望UNIX時間戳與聚合部分本身分開。
GET _search
{
"size": 0,
"query": {
"range" :{
"ts": {
"gte":1535155200,
"lte":1535414399
}
}
},
"aggs": {
"domains": {
"terms": {
"field":"query.keyword"
}
}
}
}
我也嘗試過此操作,但收到錯誤:
"Found two aggregation type definitions in [domains_prev]: [range] and [terms]",
GET _search
{
"size": 0,
"aggs": {
"domains_prev": {
"range" :{
"field":"ts",
"ranges": [
{"to" : 1535414399},
{"from" : 1535155200}
]
},
"terms": {
"field":"query.keyword"
}
}
}
}
目的是要有類似的東西:
Agg1
"domains_prev"
"field":"query.keyword"
date:gte:timestamp, lte:timestamp
Agg2
"domains_today"
"field":"query.keyword"
date:today
show all "query.keyword" in agg2 that does not appear in agg1.
這是我用來實現預期結果的SQL查詢:
select domains FROM table WHERE date >= 20171123 and domains NOT IN (SELECT domains FROM table WHERE date < 20171123 group by domains)
1 個解決方案
解決方案1
0 2018-08-28 11:57:43
您需要從日期范圍開始進行嵌套存儲桶聚合:
在他們的頁面上,從頂級聚合開始:
{
"aggs": {
"range": {
"date_range": {
"field": "date",
"format": "MM-yyy",
"ranges": [
{ "to": "now-10M/M" },
{ "from": "now-10M/M" }
]
}
}
}
}
然后,在其下使用query.keyword嵌套現有的術語聚合。
最終結果應類似於:
{
"aggs": {
"range": {
"date_range": {
"field": "date",
"format": "MM-yyy",
"ranges": [
{ "to": "now-10M/M" },
{ "from": "now-10M/M" }
]
},
"aggs": {
"domains": {
"terms": {
"field":"query.keyword"
}
}
}
}
}
}
Elasticsearch-在嵌套字段上聚合,然后在嵌套外部的字段上聚合
[英]Elasticsearch - Aggregate on nested field, then on field outside the nesting
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.