- elasticsearch/
elasticsearch 按日期按最新时间戳对日志进行分组
elasticsearch 按日期按最新时间戳对日志进行分组
请容忍我,因为我对弹性搜索非常陌生。下面是进入弹性搜索的数据管道的模式。最底部的“updated_at”字段是“timestamp”。每隔两个小时,该数据的一条新记录将通过管道传输到ES中,并带有“updated_at”时间戳。我想写一个DSL查询,只按每天的最大(最新)时间戳提取每条记录,但我不确定如何或从哪里开始。我试着使用aggs,但没有走得太远
{
"_index" : "analyticspeoplecountbycompany",
"_type" : "analytics_PeopleCountByCompany",
"_id" : "2hmEZW4Bxxxxx",
"_score" : 1.0,
"_source" : {
"data" : {
"result" : {
"result" : [
{
"EntityName" : "",
"Type" : "analytics_PeopleCountByCompany",
"Value" : null,
"Template" : {
"Company" : "XXX",
"Claimed" : "2",
"Not Claimed" : "49",
"Type" : "analytics_PeopleCountByCompany"
}
},
{
"EntityName" : "",
"Type" : "analytics_PeopleCountByCompany",
"Value" : null,
"Template" : {
"Company" : "YYY",
"Claimed" : "75",
"Not Claimed" : "108",
"Type" : "analytics_PeopleCountByCompany"
}
},
{
"EntityName" : "",
"Type" : "analytics_PeopleCountByCompany",
"Value" : null,
"Template" : {
"Company" : "ZZZ",
"Claimed" : "34",
"Not Claimed" : "92",
"Type" : "analytics_PeopleCountByCompany"
}
},
{
"EntityName" : "",
"Type" : "analytics_PeopleCountByCompany",
"Value" : null,
"Template" : {
"Company" : "AAA",
"Claimed" : "97",
"Not Claimed" : "260",
"Type" : "analytics_PeopleCountByCompany"
}
{
"EntityName" : "",
"Type" : "analytics_PeopleCountByCompany",
"Value" : null,
"Template" : {
"Company" : "BBB",
"Claimed" : "92",
"Not Claimed" : "269",
"Type" : "analytics_PeopleCountByCompany"
}
}
]
},
"type" : "analytics_PeopleCountByCompany",
"description" : "Count of People by Company",
"updated_at" : "2019-11-13T16:06:47.704Z"