<img src="//i.stack.imgur.com/RUiNP.png" height="16" width="18" alt="" class="sponsor tag img">elasticsearch 查询以重新返回elasticsearch中的唯一字段集_<img Src="//i.stack.imgur.com/RUiNP.png" Height="16" Width="18" Alt="" Class="sponsor Tag Img">elasticsearch_<img Src="//i.stack.imgur.com/A3TTx.png" Height="16" Width="18" Alt="" Class="sponsor Tag Img">elasticsearch 5

elasticsearch 查询以重新返回elasticsearch中的唯一字段集

elasticsearch 查询以重新返回elasticsearch中的唯一字段集,elasticsearch,elasticsearch-5,elasticsearch,elasticsearch 5,我的警报记录存储在Elasticsearch 5.6索引中。执行\u搜索？q=*后，我返回的数据如下所示： "hits": [ { "_index": "alerts", "_type": "alert-mapping", "_id": "AWG0lW0jxQ7bOrwfOzFI", "_score": 1, "_source": { "events": [ {

我的警报记录存储在Elasticsearch 5.6索引中。执行

\u搜索？q=*

后，我返回的数据如下所示：

  "hits": [ 
   {
      "_index": "alerts",
      "_type": "alert-mapping",
      "_id": "AWG0lW0jxQ7bOrwfOzFI",
      "_score": 1,
      "_source": {
        "events": [
          {
             "name": "walking",
          }
        ],
        "categoryID": "easy",
        "comments": "this is a comment",
        "active": true
      }
    },
    {
      "_index": "alerts",
      "_type": "alert-mapping",
      "_id": "AWds3wd43980wfOzFI",
      "_score": 1,
      "_source": {
        "events": [
          {
             "name": "running",
          }
        ],
        "categoryID": "difficult",
        "comments": "this is another comment",
        "active": false
     }
   }]

根据数据规范，事件数组将只有一个值。这可能会在将来更新，但我现在可以在这个假设下操作。我试图做的是创建一个查询，该查询将获取所有唯一的

事件.name

值及其相应的

categoryID

我有一个我认为可行的示例查询，但它返回了所有唯一的

事件.name

值以及所有唯一的

类别ID

值。我当前的查询如下所示

GET alerts/_search
{
 "size":0,
 "aggs":{
    "alerts":{ 
        "terms":{ 
           "field":"events.name",
           "size":1 
         }
     },
     "categories":{
        "terms":{
           "field":"categoryID"
        }
     }
  }
}

"aggregations": {
"alerts": {
  "doc_count_error_upper_bound": 0,
  "sum_other_doc_count": 0,
  "buckets": [
    {
      "key": "running",
      "categories": "difficult",
      "doc_count": 225
    },
    {
      "key": "walking",
      "categories": "easy",
      "doc_count": 219
    }
  ]
}

这将返回如下所示的内容

"aggregations": {
"alerts": {
  "doc_count_error_upper_bound": 0,
  "sum_other_doc_count": 0,
  "buckets": [
    {
      "key": "running",
      "doc_count": 225
    },
    {
      "key": "walking",
      "doc_count": 219
    }
  ]
},
"categroies": {
  "doc_count_error_upper_bound": 0,
  "sum_other_doc_count": 0,
  "buckets": [
    {
      "key": "easy",
      "doc_count": 363
    },
    {
      "key": "difficult",
      "doc_count": 352
    }
  ]
}

}

我真正想要的是在返回的结果中同时包含

事件.name

和

categoryID

的东西，因此我得到所有

事件.name

及其相应的

categoryID

。看起来像这样的东西

GET alerts/_search
{
 "size":0,
 "aggs":{
    "alerts":{ 
        "terms":{ 
           "field":"events.name",
           "size":1 
         }
     },
     "categories":{
        "terms":{
           "field":"categoryID"
        }
     }
  }
}

"aggregations": {
"alerts": {
  "doc_count_error_upper_bound": 0,
  "sum_other_doc_count": 0,
  "buckets": [
    {
      "key": "running",
      "categories": "difficult",
      "doc_count": 225
    },
    {
      "key": "walking",
      "categories": "easy",
      "doc_count": 219
    }
  ]
}

可以将一个嵌套在另一个中，如下所示：

{
    "size": 0,
    "aggs": {
        "alerts": {
            "terms": {
                "field": "events.name",
                "size": 1
            },
            "aggs": {
                "categories": {
                    "terms": {
                        "field": "categoryID"
                    }
                }
            }
        }
    }
}

它并不完全是您想要的结构，但它将为您提供每个事件名称的嵌套的所有唯一类别ID。我想不出一种方法来实现所需的输出。

如果可以将“事件”字段的映射更改为嵌套类型，则可以使用反向嵌套聚合来接近所需的内容

POST /alerts/_search
{
 "query":{
    "match_all": {}
 },
 "aggs":{
    "events_name": {
        "nested": {
            "path": "events"
        },
        "aggs":{
            "events":{
                "terms": {
                    "field": "events.name"
                },
                "aggs":{
                    "category_ids":{
                        "reverse_nested":{},
                        "aggs":{
                            "cat_ids_per_event":{
                                "terms": {
                                    "field": "categoryID"
                                }
                            }
                        }
                    }
                }
            }
        }
    }
 }
}

给我这个假文件

"aggregations": {
    "events_name": {
        "doc_count": 9,
        "events": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
                {
                    "key": "walking",
                    "doc_count": 5,
                    "category_ids": {
                        "doc_count": 5,
                        "cat_ids_per_event": {
                            "doc_count_error_upper_bound": 0,
                            "sum_other_doc_count": 0,
                            "buckets": [
                                {
                                    "key": "easy",
                                    "doc_count": 5
                                }
                            ]
                        }
                    }
                },
                {
                    "key": "running",
                    "doc_count": 4,
                    "category_ids": {
                        "doc_count": 4,
                        "cat_ids_per_event": {
                            "doc_count_error_upper_bound": 0,
                            "sum_other_doc_count": 0,
                            "buckets": [
                                {
                                    "key": "difficult",
                                    "doc_count": 4
                                }
                            ]
                        }
                    }
                }
            ]
        }
    }
}