1. 首頁
  2. 問答
  3. ElasticSearch聚合組按訂單按分項領域的文檔數

ElasticSearch聚合組按訂單按分項領域的文檔數

2015-10-26 88 views
0

我的映射模型:ElasticSearch聚合組按訂單按分項領域的文檔數

// TypeLog:錯誤,信息,警告

{ 
    "onef-sora": { 
     "mappings": { 
     "Log": { 
      "properties": { 

       "application": { 
        "type": "string", 
        "index": "not_analyzed" 
       } 
       "typeLog": { 
        "type": "string" 
       } 
      } 
     } 
     } 
    } 
}

我的查詢:

{ 
    "size": 0, 
    "aggs": { 
    "application": { 
     "terms": { 
     "field": "application", 
     "order" : { "_count" : "desc"}, 
     "size": 5 
     }, 
     "aggs": { 
     "typelogs": { 
      "terms": { 
      "field": "typeLog", 
      "order" : { "_term" : "asc"} 
      } 
     } 
     } 
    } 
    } 
}

我想獲得前5名的應用程序有最多的錯誤,但術語彙總順序支持三個關鍵:_count,_term,_key。如何通過在我的查詢中輸入logLog doc_count來進行排序。謝謝 !!!

結果我想:

{ 
    "took": 3, 
    "timed_out": false, 
    "_shards": { 
     "total": 5, 
     "successful": 5, 
     "failed": 0 
    }, 
    "hits": { 
     "total": 10000, 
     "max_score": 0, 
     "hits": [] 
    }, 
    "aggregations": { 
     "application": { 
     "doc_count_error_upper_bound": 0, 
     "sum_other_doc_count": 5000, 
     "buckets": [ 
      { 
       "key": "OneF0", 
       "doc_count": 1000, 
       "typelogs": { 
        "doc_count_error_upper_bound": 0, 
        "sum_other_doc_count": 0, 
        "buckets": [ 
        { 
         "key": "error", 
         "doc_count": 334 
        }, 
        { 
         "key": "info", 
         "doc_count": 333 
        }, 
        { 
         "key": "warn", 
         "doc_count": 333 
        } 
        ] 
       } 
      }, 
      { 
       "key": "OneF1", 
       "doc_count": 1000, 
       "typelogs": { 
        "doc_count_error_upper_bound": 0, 
        "sum_other_doc_count": 0, 
        "buckets": [ 
        { 
         "key": "error", 
         "doc_count": 333 
        }, 
        { 
         "key": "info", 
         "doc_count": 334 
        }, 
        { 
         "key": "warn", 
         "doc_count": 333 
        } 
        ] 
       } 
      }, 
      { 
       "key": "OneF2", 
       "doc_count": 1000, 
       "typelogs": { 
        "doc_count_error_upper_bound": 0, 
        "sum_other_doc_count": 0, 
        "buckets": [ 
        { 
         "key": "error", 
         "doc_count": 332 
        }, 
        { 
         "key": "info", 
         "doc_count": 333 
        }, 
        { 
         "key": "warn", 
         "doc_count": 334 
        } 
        ] 
       } 
      } 

     ] 
     } 
    } 
}

來源

2015-10-26 Giau Huynh

+0

爲什麼不在你的'typelogs'子聚合中簡單地使用'_count:desc'? – Val

+0

毫無意義,我試試。我想得到頂級應用程序有類型='錯誤' –

+0

不知道我明白,但提供@juliendangers應該工作,他使用'_count:desc'建議。你可以刪除'term'查詢,但它應該可以工作。 – Val

回答

0

當你拿到前5應用與大多數的錯誤,你可以進行篩選,只保留錯誤日誌查詢(您可以使用過濾器)。那麼你就只能通過降計數

{ 
    "size": 0, 
    "query": { 
    "term": { 
     "typeLog": "Error" 
    } 
    }, 
    "aggs": { 
    "application": { 
     "terms": { 
     "field": "application", 
     "order": { 
      "_count": "desc" 
     }, 
     "size": 5 
     }, 
     "aggs": { 
     "typelogs": { 
      "terms": { 
      "field": "typeLog", 
      "order": { 
       "_count": "desc" 
      } 
      } 
     } 
     } 
    } 
    } 
}

要將所有typeLogs需要爲了你的子項聚集,可能需要進行查詢的其他方式

{ 
    "size": 0, 
    "aggs": { 
    "typelogs": { 
     "terms": { 
     "field": "typeLog", 
     "order": { 
      "_count": "asc" 
     } 
     }, 
     "aggs": { 
     "application": { 
      "terms": { 
      "field": "application", 
      "order": { 
       "_count": "desc" 
      }, 
      "size": 5 
      } 
     } 
     } 
    } 
    } 
}

您將有3個一級桶,日誌類型前5名的應用程序

來源

2015-10-26 08:43:46

+0

我不想過濾器,我想要得到總警告,信息類型 –

+0

您要求的前5名應用程序的日誌最多,但頂級應用程序可能只有信息日誌,因此無法在不過濾文檔的情況下獲得大多數錯誤。 順便說一句,請編輯您的問題補充,你希望所有typeLog;) –

+0

讓看到我的編輯 –

相關問題

 相關問題