Elasticsearch，嵌套聚合

Question

我正在寫動態查詢生成，它允許通過映射中的任何字段組合進行聚合。如下面的映射（截斷），嵌套類型中有字段。例如骨料由[activities.activity，持續時間]或[activities.activity，activities.duration]或[applicationName的，持續時間]

映射：

{ 
nested: { 
    properties: { 
     @timestamp: { 
      type: "date", 
      format: "dateOptionalTime" 
     }, 
     activities: { 
      type: "nested", 
      include_in_parent: true, 
      properties: { 
       activity: { 
        type: "string", 
        index: "not_analyzed" 
       }, 
       duration: { 
        type: "long" 
       }, 
       entry: { 
        properties: { 
         blockName: { 
          type: "string", 
          index: "not_analyzed" 
         }, 
         blockid: { 
          type: "string" 
         }, 
         time: { 
          type: "date", 
          format: "dateOptionalTime" 
         } 
        } 
       }, 
       exit: { 
        properties: { 
         blockName: { 
          type: "string", 
          index: "not_analyzed" 
         }, 
         blockid: { 
          type: "string" 
         }, 
         time: { 
          type: "date", 
          format: "dateOptionalTime" 
         } 
        } 
       }, 
       seq: { 
        type: "integer" 
       } 
      } 
     }, 
     applicationName: { 
      type: "string", 
      index: "not_analyzed" 
     }, 
     duration: { 
      type: "long" 
     } 
    } 
}} 

樣品文件：

{ 
"@timestamp": "2015-09-15T17:35:24.020Z", 
"duration": "37616", 
"applicationName": "my application name", 
"activities": [{ 
    "duration": "20362", 
    "entry": { 
     "blockid": "2", 
     "time": "2015-09-15T17:35:24.493Z", 
     "blockName": "My Self Service" 
    }, 
    "exit": { 
     "blockid": "2", 
     "time": "2015-09-15T17:35:44.855Z", 
     "blockName": "My Self Service" 
    }, 
    "seq": 1, 
    "activity": "Prompter v2.3" 
}, { 
    "duration": "96", 
    "entry": { 
     "blockid": "2", 
     "time": "2015-09-15T17:35:45.268Z", 
     "blockName": "My Self Service" 
    }, 
    "exit": { 
     "blockid": "2", 
     "time": "2015-09-15T17:35:45.364Z", 
     "blockName": "My Self Service" 
    }, 
    "seq": 2, 
    "activity": "Start v2.5" 
}, { 
    "duration": "15931", 
    "entry": { 
     "blockid": "2", 
     "time": "2015-09-15T17:35:45.669Z", 
     "blockName": "My Self Service" 
    }, 
    "exit": { 
     "blockid": "2", 
     "time": "2015-09-15T17:36:01.600Z", 
     "blockName": "My Self Service" 
    }, 
    "seq": 3, 
    "activity": "System v2.3" 
}]} 

樣品查詢：

{ 
"size": 0, 
"aggs": { 
    "dim0": { 
     "nested" : { 
      "path": "activities" 
     }, 
     "aggs": { 
      "dim1": { 
       "terms": { 
        "field": "activities.activity" 
       }, 
       "aggs": { 
        "dim_reverse":{ 
         "reverse_nested":{}, 
         "aggs":{ 
          "avg_duration": { 
           "avg": { 
            "field": "duration" 
           } 
          } 
         } 
        } 
       } 
      } 
     } 
    } 
}} 

問題, 正如您在查詢中所看到的，當在嵌套字段下的根級別字段上求平均值時。必須包含reverse_nested，以便可以看到根級字段「duration」。這意味着在生成查詢時，我們需要檢查字段的組合，以查看父/子字段是否嵌套字段，嵌套在相同路徑下或根級別，然後生成正確的查詢。在聚合更多字段時，這可能會更復雜，例如，通過[applicationName，activities.duration，duration，activities.activity]聚合。有誰知道更優雅的方式來做到這一點？如果我們可以指定絕對路徑，邏輯可能會更簡單

Answer 1

不是真正的答案，而是添加更多示例，因爲它可以幫助其他人更好地理解嵌套聚合。

 aggs field average field 
case1 yes   yes 
case2 yes   no 
case3 no   yes 
case4 no   no 

是 - >嵌套類型，NO->不嵌套類型

案例1相同的與路徑

查詢

{ 
"size": 0, 
"aggs": { 
    "dim0": { 
     "nested" : { 
      "path": "activities" 
     }, 
     "aggs": { 
      "dim1": { 
       "terms": { 
        "field": "activities.activity" 
       }, 
       "aggs":{ 
        "avg_duration": { 
         "avg": { 
          "field": "activities.duration" 
         } 
        } 
       } 
      } 
     } 
    } 
}} 

結果：

{ 
"took": 1, 
"timed_out": false, 
"_shards": { 
    "total": 5, 
    "successful": 5, 
    "failed": 0 
}, 
"hits": { 
    "total": 1, 
    "max_score": 0.0, 
    "hits": [] 
}, 
"aggregations": { 
    "dim0": { 
     "doc_count": 3, 
     "dim1": { 
      "doc_count_error_upper_bound": 0, 
      "sum_other_doc_count": 0, 
      "buckets": [{ 
       "key": "Prompter v2.3", 
       "doc_count": 1, 
       "avg_duration": { 
        "value": 20362.0 
       } 
      }, { 
       "key": "Start v2.5", 
       "doc_count": 1, 
       "avg_duration": { 
        "value": 96.0 
       } 
      }, { 
       "key": "System v2.3", 
       "doc_count": 1, 
       "avg_duration": { 
        "value": 15931.0 
       } 
      }] 
     } 
    } 
}} 

case1，這兩個字段是嵌套的，但reverse_nested在所有「活動上具有相同的平均值。持續時間」

查詢

{ 
"size": 0, 
"aggs": { 
    "dim0": { 
     "nested" : { 
      "path": "activities" 
     }, 
     "aggs": { 
      "dim1": { 
       "terms": { 
        "field": "activities.activity" 
       }, 
       "aggs": { 
        "dim_reverse1":{ 
         "reverse_nested":{ 
         }, 
         "aggs":{ 
          "avg_duration": { 
           "avg": { 
            "field": "activities.duration" 
           } 
          } 
         } 
        } 
       } 
      }     
     } 
    } 
}} 

結果

{ 
"took": 2, 
"timed_out": false, 
"_shards": { 
    "total": 5, 
    "successful": 5, 
    "failed": 0 
}, 
"hits": { 
    "total": 1, 
    "max_score": 0.0, 
    "hits": [] 
}, 
"aggregations": { 
    "dim0": { 
     "doc_count": 3, 
     "dim1": { 
      "doc_count_error_upper_bound": 0, 
      "sum_other_doc_count": 0, 
      "buckets": [{ 
       "key": "Prompter v2.3", 
       "doc_count": 1, 
       "dim_reverse1": { 
        "doc_count": 1, 
        "avg_duration": { 
         "value": 12129.666666666666 
        } 
       } 
      }, { 
       "key": "Start v2.5", 
       "doc_count": 1, 
       "dim_reverse1": { 
        "doc_count": 1, 
        "avg_duration": { 
         "value": 12129.666666666666 
        } 
       } 
      }, { 
       "key": "System v2.3", 
       "doc_count": 1, 
       "dim_reverse1": { 
        "doc_count": 1, 
        "avg_duration": { 
         "value": 12129.666666666666 
        } 
       } 
      }] 
     } 
    } 
}} 

情形3

查詢

{ 
"size": 0, 
"aggs": { 
    "dim1": { 
     "terms": { 
      "field": "applicationName" 
     }, 
     "aggs":{ 
      "avg_duration": { 
       "avg": { 
        "field": "activities.duration" 
       } 
      } 
     } 
    } 
}} 

結果

{ 
"took": 2, 
"timed_out": false, 
"_shards": { 
    "total": 5, 
    "successful": 5, 
    "failed": 0 
}, 
"hits": { 
    "total": 1, 
    "max_score": 0.0, 
    "hits": [] 
}, 
"aggregations": { 
    "dim1": { 
     "doc_count_error_upper_bound": 0, 
     "sum_other_doc_count": 0, 
     "buckets": [{ 
      "key": "my application name", 
      "doc_count": 1, 
      "avg_duration": { 
       "value": 12129.666666666666 
      } 
     }] 
    } 
}} 

情況2包括reserver_nested到回到根水平

查詢

{ 
"size": 0, 
"aggs": { 
    "dim0": { 
     "nested" : { 
      "path": "activities" 
     }, 
     "aggs": { 
      "dim1": { 
       "terms": { 
        "field": "activities.activity" 
       }, 
       "aggs": { 
        "dim_reverse":{ 
         "reverse_nested":{}, 
         "aggs":{ 
          "avg_duration": { 
           "avg": { 
            "field": "duration" 
           } 
          } 
         } 
        } 
       } 
      } 
     } 
    } 
}} 

結果：

{ 
"took": 2, 
"timed_out": false, 
"_shards": { 
    "total": 5, 
    "successful": 5, 
    "failed": 0 
}, 
"hits": { 
    "total": 1, 
    "max_score": 0.0, 
    "hits": [] 
}, 
"aggregations": { 
    "dim0": { 
     "doc_count": 3, 
     "dim1": { 
      "doc_count_error_upper_bound": 0, 
      "sum_other_doc_count": 0, 
      "buckets": [{ 
       "key": "Prompter v2.3", 
       "doc_count": 1, 
       "dim_reverse": { 
        "doc_count": 1, 
        "avg_duration": { 
         "value": 37616.0 
        } 
       } 
      }, { 
       "key": "Start v2.5", 
       "doc_count": 1, 
       "dim_reverse": { 
        "doc_count": 1, 
        "avg_duration": { 
         "value": 37616.0 
        } 
       } 
      }, { 
       "key": "System v2.3", 
       "doc_count": 1, 
       "dim_reverse": { 
        "doc_count": 1, 
        "avg_duration": { 
         "value": 37616.0 
        } 
       } 
      }] 
     } 
    } 
}} 

情況2，而不指定嵌套路徑

查詢

{ 
"size": 0, 
"aggs": { 
    "dim1": { 
     "terms": { 
      "field": "activities.activity" 
     }, 
     "aggs":{ 
      "avg_duration": { 
       "avg": { 
        "field": "duration" 
       } 
      } 
     } 
    } 
}} 

結果結果是與先前一個

{ 
"took": 2, 
"timed_out": false, 
"_shards": { 
    "total": 5, 
    "successful": 5, 
    "failed": 0 
}, 
"hits": { 
    "total": 1, 
    "max_score": 0.0, 
    "hits": [] 
}, 
"aggregations": { 
    "dim1": { 
     "doc_count_error_upper_bound": 0, 
     "sum_other_doc_count": 0, 
     "buckets": [{ 
      "key": "Prompter v2.3", 
      "doc_count": 1, 
      "avg_duration": { 
       "value": 37616.0 
      } 
     }, { 
      "key": "Start v2.5", 
      "doc_count": 1, 
      "avg_duration": { 
       "value": 37616.0 
      } 
     }, { 
      "key": "System v2.3", 
      "doc_count": 1, 
      "avg_duration": { 
       "value": 37616.0 
      } 
     }] 
    } 
} 

}

情況2，而無需指定reserver_nested， 「持續時間」 在根級別沒有看到

查詢

{ 
"size": 0, 
"aggs": { 
    "dim0": { 
     "nested" : { 
      "path": "activities" 
     }, 
     "aggs": { 
      "dim1": { 
       "terms": { 
        "field": "activities.activity" 
       }, 
       "aggs":{ 
        "avg_duration": { 
         "avg": { 
          "field": "duration" 
         } 
        } 
       } 
      } 
     } 
    } 
}} 

結果

{ 
"took": 2, 
"timed_out": false, 
"_shards": { 
    "total": 5, 
    "successful": 5, 
    "failed": 0 
}, 
"hits": { 
    "total": 1, 
    "max_score": 0.0, 
    "hits": [] 
}, 
"aggregations": { 
    "dim0": { 
     "doc_count": 3, 
     "dim1": { 
      "doc_count_error_upper_bound": 0, 
      "sum_other_doc_count": 0, 
      "buckets": [{ 
       "key": "Prompter v2.3", 
       "doc_count": 1, 
       "avg_duration": { 
        "value": null 
       } 
      }, { 
       "key": "Start v2.5", 
       "doc_count": 1, 
       "avg_duration": { 
        "value": null 
       } 
      }, { 
       "key": "System v2.3", 
       "doc_count": 1, 
       "avg_duration": { 
        "value": null 
       } 
      }] 
     } 
    } 
}}