elasticsearch ElasticSearch在同一索引内联接数据,elasticsearch,kibana,elasticsearch,Kibana" /> elasticsearch ElasticSearch在同一索引内联接数据,elasticsearch,kibana,elasticsearch,Kibana" />
Fatal编程技术网
  • elasticsearch/
  • elasticsearch ElasticSearch在同一索引内联接数据

elasticsearch ElasticSearch在同一索引内联接数据

kibana

elasticsearch ElasticSearch在同一索引内联接数据,elasticsearch,kibana,elasticsearch,Kibana,我是ElasticSearch的新手,我正在同一索引中收集一些采用这种格式的应用程序日志 { "_index" : "app_logs", "_type" : "_doc", "_id" : "JVMYi20B0a2qSId4rt12", "_source" : { "username" : "mapred", "app_id" : "application_1569623930006_490200", "event_type"

我是ElasticSearch的新手,我正在同一索引中收集一些采用这种格式的应用程序日志

{
    "_index" : "app_logs",
    "_type" : "_doc",
    "_id" : "JVMYi20B0a2qSId4rt12",
    "_source" : {
      "username" : "mapred",
      "app_id" : "application_1569623930006_490200",
      "event_type" : "STARTED",
      "ts" : "2019-10-02T08:11:53Z"
}
我可以有不同的活动类型。在这种情况下,我对
开始
完成
感兴趣。我想查询ES,以便获得在某一天开始的所有应用程序,并用它们的结束时间丰富它们。基本上,我想创建一对开始/结束(也可能缺少一个结束,但这很好)

我已经意识到sql中的连接关系不能在ES中使用,我想知道是否可以利用其他一些特性在一个查询中得到这个结果

编辑:这些是索引映射的详细信息

{ 
 “app_logs" : {
  "mappings" : {
   "_doc" : {
    "properties" : {
      "event_type" : {
        "type" : "text",
        "fields" : {
          "keyword" : {
            "type" : "keyword",
            "ignore_above" : 256
          }
        }
      },
      “app_id" : {
        "type" : "text",
        "fields" : {
          "keyword" : {
            "type" : "keyword",
            "ignore_above" : 256
          }
        }
      },
      "ts" : {
        "type" : "date"
      },
      “event_type” : {
        "type" : "text",
        "fields" : {
          "keyword" : {
            "type" : "keyword",
            "ignore_above" : 256
          }
        }
      }
    }
  }}}}
我的理解是,您希望核对具有与
已启动
已完成
相同的
应用程序id
以及
状态
的文档列表

我不认为Elasticsearch不是用来执行连接操作的。我的意思是你可以,但是你必须按照本文中提到的设计你的文档

你需要的是一个

下面是示例映射、文档、聚合查询和响应,以及它们的显示方式,这将实际帮助您获得所需的结果

映射: 样本文件 查询: 请注意,对于筛选,我使用了,因为您只想筛选该日期的文档,还添加了bool
should
逻辑,以根据
start
FINISHED
进行筛选

一旦我有了这些文件,我就利用了和来获得想要的结果

结果 请注意我所做的更改。每当您需要精确匹配或想要使用聚合时,您都需要使用
关键字
类型

在您共享的映射中,没有
用户名
字段,只有两个
事件类型
字段。我假设这只是人为的错误,其中一个字段应该是
username

现在,如果您仔细注意,字段
事件类型
有一个
文本
及其同级
关键字
字段。我刚刚修改了查询以使用关键字字段,当我这样做时,我正在使用关键字字段

试试这个,让我知道它是否有用

谢谢。它看起来真的像我要找的东西。我要试一试。但是,您能否澄清映射部分?据我所知,我应该将这种映射添加到索引中,但它是否适用于已经存在的文档?或者我应该再次恢复它们吗?如果映射细节与我的回答一致,我认为您不需要更改映射细节。但是我想知道你的索引的映射细节。@alexlipa默认情况下,如果你在创建索引时没有指定映射,ES将继续,根据你发送给它的数据,它将继续创建映射。您可以执行下面的操作并与我共享映射详细信息
GET/_mapping
,这样我就可以查看它并让您知道您是否需要进行任何更改或只是更改查询。我已经添加了我的映射详细信息Hey@alexlipa您可以查看我在同一部分发布的更新答案吗。如果有帮助,请告诉我! 
PUT mystatusindex
{
  "mappings": {
    "properties": {
      "username":{
        "type": "keyword"
      },
      "app_id":{
        "type": "keyword"
      },
      "event_type":{
        "type":"keyword"
      },
      "ts":{
        "type": "date"
      }
    }
  }
}

POST mystatusindex/_doc/1
{
    "username" : "mapred",
    "app_id" : "application_1569623930006_490200",
    "event_type" : "STARTED",
    "ts" : "2019-10-02T08:11:53Z"
}

POST mystatusindex/_doc/2
{
    "username" : "mapred",
    "app_id" : "application_1569623930006_490200",
    "event_type" : "FINISHED",
    "ts" : "2019-10-02T08:12:53Z"
}

POST mystatusindex/_doc/3
{
    "username" : "mapred",
    "app_id" : "application_1569623930006_490201",
    "event_type" : "STARTED",
    "ts" : "2019-10-02T09:30:53Z"
}

POST mystatusindex/_doc/4
{
    "username" : "mapred",
    "app_id" : "application_1569623930006_490202",
    "event_type" : "STARTED",
    "ts" : "2019-10-02T09:45:53Z"
}

POST mystatusindex/_doc/5
{
    "username" : "mapred",
    "app_id" : "application_1569623930006_490202",
    "event_type" : "FINISHED",
    "ts" : "2019-10-02T09:45:53Z"
}

POST mystatusindex/_doc/6
{
  "username" : "mapred",
  "app_id" : "application_1569623930006_490203",
  "event_type" : "STARTED",
  "ts" : "2019-10-03T09:30:53Z"
}

POST mystatusindex/_doc/7
{
  "username" : "mapred",
  "app_id" : "application_1569623930006_490203",
  "event_type" : "FINISHED",
  "ts" : "2019-10-03T09:45:53Z"
}

POST mystatusindex/_search
{
  "size": 0,
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "ts": {
              "gte": "2019-10-02T00:00:00Z",
              "lte": "2019-10-02T23:59:59Z"
            }
          }
        }
      ],
      "should": [
        {
          "match": {
            "event_type": "STARTED"
          }
        },
        {
          "match": {
            "event_type": "FINISHED"
          }
        }
      ]
    }
  },
  "aggs": {
    "application_IDs": {
      "terms": {
        "field": "app_id"
      },
      "aggs": {
        "ids": {
          "top_hits": {
            "size": 10,
            "_source": ["event_type", "app_id"],
            "sort": [
              { "event_type": { "order": "desc"}}
              ]
          }
        }
      }
    }
  }
}

{
  "took" : 12,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 5,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  },
  "aggregations" : {
    "application_IDs" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "application_1569623930006_490200",       <----- APP ID
          "doc_count" : 2,
          "ids" : {
            "hits" : {
              "total" : {
                "value" : 2,
                "relation" : "eq"
              },
              "max_score" : null,
              "hits" : [
                {
                  "_index" : "mystatusindex",
                  "_type" : "_doc",
                  "_id" : "1",                     <--- Document with STARTED status
                  "_score" : null,
                  "_source" : {
                    "event_type" : "STARTED",     
                    "app_id" : "application_1569623930006_490200"
                  },
                  "sort" : [
                    "STARTED"
                  ]
                },
                {
                  "_index" : "mystatusindex",
                  "_type" : "_doc",
                  "_id" : "2",                    <--- Document with FINISHED status
                  "_score" : null,
                  "_source" : {
                    "event_type" : "FINISHED",     
                    "app_id" : "application_1569623930006_490200"
                  },
                  "sort" : [
                    "FINISHED"
                  ]
                }
              ]
            }
          }
        },
        {
          "key" : "application_1569623930006_490202",
          "doc_count" : 2,
          "ids" : {
            "hits" : {
              "total" : {
                "value" : 2,
                "relation" : "eq"
              },
              "max_score" : null,
              "hits" : [
                {
                  "_index" : "mystatusindex",
                  "_type" : "_doc",
                  "_id" : "4",
                  "_score" : null,
                  "_source" : {
                    "event_type" : "STARTED",
                    "app_id" : "application_1569623930006_490202"
                  },
                  "sort" : [
                    "STARTED"
                  ]
                },
                {
                  "_index" : "mystatusindex",
                  "_type" : "_doc",
                  "_id" : "5",
                  "_score" : null,
                  "_source" : {
                    "event_type" : "FINISHED",
                    "app_id" : "application_1569623930006_490202"
                  },
                  "sort" : [
                    "FINISHED"
                  ]
                }
              ]
            }
          }
        },
        {
          "key" : "application_1569623930006_490201",
          "doc_count" : 1,
          "ids" : {
            "hits" : {
              "total" : {
                "value" : 1,
                "relation" : "eq"
              },
              "max_score" : null,
              "hits" : [
                {
                  "_index" : "mystatusindex",
                  "_type" : "_doc",
                  "_id" : "3",
                  "_score" : null,
                  "_source" : {
                    "event_type" : "STARTED",
                    "app_id" : "application_1569623930006_490201"
                  },
                  "sort" : [
                    "STARTED"
                  ]
                }
              ]
            }
          }
        }
      ]
    }
  }
}

{ 
   "size":0,
   "query":{ 
      "bool":{ 
         "must":[ 
            { 
               "range":{ 
                  "ts":{ 
                     "gte":"2019-10-02T00:00:00Z",
                     "lte":"2019-10-02T23:59:59Z"
                  }
               }
            }
         ],
         "should":[ 
            { 
               "term":{ 
                  "event_type.keyword":"STARTED"   <----- Changed this 
               }
            },
            { 
               "term":{ 
                  "event_type.keyword":"FINISHED"  <----- Changed this 
               }
            }
         ]
      }
   },
   "aggs":{ 
      "application_IDs":{ 
         "terms":{ 
            "field":"app_id.keyword"               <----- Changed this 
         },
         "aggs":{ 
            "ids":{ 
               "top_hits":{ 
                  "size":10,
                  "_source":[ 
                     "event_type",
                     "app_id"
                  ],
                  "sort":[ 
                     { 
                        "event_type.keyword":{    <----- Changed this 
                           "order":"desc"
                        }
                     }
                  ]
               }
            }
         }
      }
   }
}