- elasticsearch/
elasticsearch 跨唯一主机的字段总和最大值的日期直方图
elasticsearch 跨唯一主机的字段总和最大值的日期直方图
我正在尝试做一个日期直方图,一个字段的最大值和另一个字段的多个值之和。下面是两个匹配文档的示例:
{
"_index": "logstash-2014.02.06",
"_type": "xyz",
"_id": "HZ_2oaGvQvKWvsOLyYrGrw",
"_score": 1,
"_source": {
"@version": "1",
"@timestamp": "2014-02-05T16:01:01.260-08:00",
"type": "xyz",
"host": "compute-4.lab.solinea.com",
"received_at": "2014-02-05 21:01:01 UTC",
"received_from": "10.10.11.33",
"total_widgets": 24,
}
},
{
"_index": "logstash-2014.02.06",
"_type": "xyz",
"_id": "HZ_2oaGvQvKWvsOLyYrGrx",
"_score": 1,
"_source": {
"@version": "1",
"@timestamp": "2014-02-05T16:01:01.260-08:00",
"type": "xyz",
"host": "compute-3.lab.solinea.com",
"received_at": "2014-02-05 21:01:01 UTC",
"received_from": "10.10.11.32",
"total_widgets": 13,
}
}
{
"query": {
"range": {
"@timestamp": {
"gte": "2014-02-05T00:00:00+00:00",
"lte": "2014-03-05T00:00:00+00:00"
}
}
},
"facets": {
"total_widgets_facet": {
"date_histogram": {
"key_field": "@timestamp",
"value_field": "total_widgets",
"interval": "hour"
},
"facet_filter": {
"term": {
"type": "xyz"
}
}
}
}
}
我非常感谢您的建议……我没有找到一种有效的方法来使用Elasticsearch 0.90.x实现这一点,但下面的查询是如何使用1.0.x中的聚合来实现所需结果的示例:
{
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": "2014-02-07T00:00:00.000-00:00",
"to": "2014-02-07T23:59:59.999-00:00"
}
}
},
{
"term": {
"type": "xyz"
}
}
]
}
},
"aggs": {
"events_by_host": {
"terms": {
"field": "host.raw"
},
"aggs": {
"events_by_date": {
"date_histogram": {
"field": "@timestamp",
"interval": "hour"
},
"aggs": {
"max_total_widgets": {
"max": {
"field": "total_widgets"
}
},
"avg_total_widgets": {
"avg": {
"field": "total_widgets"
}
}
}
}
}
}
}
}
我在这里写了一篇关于这个主题的博文:你有没有研究过?使用该新功能,您的案例可能更容易解决。感谢链接。既然你提到了它,我刚才确实看到了那个页面,觉得它很有趣,也很适用。我绝对期待1.0。