问题描述
我有以下 json 数据:
{
"_index": "logs","_type": "_doc","_id": "122","_version": 7,"_score": null,"_source": {
"Data": {
"FacTotal": 62701268992,"FacFree": 56609468416,"FacStatus": "normal","Version": "2.0","Ip": "192.168.0.106"
},"Created": "2021-01-04T14:13:48.245760","Device": "T1"
"Customer": "demo1"
},"fields": {
"Data.UpTime": [
"2021-01-04T14:10:05.000Z"
],"Created": [
"2021-01-04T14:13:48.245Z"
]
},"sort": [
1609769628245
]
}
就像上面的 json 数据一样,我有多个具有不同 Customers 的数据,每个客户都有多个 Device。我写了下面的查询,它为我提供了所有 Customers 的列表以及每个客户拥有的 Devices 的数量。
GET logs/_search
{
"size": 0,"aggs": {
"customers": {
"terms": {
"field": "Customer.keyword"
},"aggs": {
"type_count": {
"cardinality": {
"field": "Device.keyword"
}
}
}
}
}
}
回复如下:
{
"took" : 996,"timed_out" : false,"_shards" : {
"total" : 5,"successful" : 5,"skipped" : 0,"Failed" : 0
},"hits" : {
"total" : {
"value" : 325,"relation" : "eq"
},"max_score" : null,"hits" : [ ]
},"aggregations" : {
"customers" : {
"doc_count_error_upper_bound" : 0,"sum_other_doc_count" : 0,"buckets" : [
{
"key" : "demo1","doc_count" : 141,"type_count" : {
"value" : 5
}
},{
"key" : "demo2","doc_count" : 140,{
"key" : "demo3","doc_count" : 36,"type_count" : {
"value" : 1
}
},{
"key" : "demo4","doc_count" : 8,"type_count" : {
"value" : 1
}
}
]
}
}
}
我如何修改上述查询,以便在计数的同时还为我们提供客户的设备名称。像下面的东西
{
"key": "demo1","doc_count": 141,"type_count": {
"value": 3
},"device_name": [ <- device name
"T1","T2","T3"
]
}
谢谢
解决方法
好的开始!!您可以利用 terms aggregation
GET logs/_search
{
"size": 0,"aggs": {
"customers": {
"terms": {
"field": "Customer.keyword"
},"aggs": {
"device_name": {
"terms": {
"field": "Device.keyword","size": 100
}
},"type_count": {
"cardinality": {
"field": "Device.keyword"
}
}
}
}
}
}
您可以将 stats bucket aggregation 与 terms aggregation 一起使用,以实现您的用例
添加一个包含索引数据、搜索查询和搜索结果的工作示例
索引数据:
{
"Device": "T2","Customer": "demo1"
}
{
"Device": "T2","Customer": "demo1"
}
{
"Device": "T1","Customer": "demo2"
}
{
"Device": "T3","Customer": "demo1"
}
搜索查询:
{
"size": 0,"aggs": {
"device_name": {
"terms": {
"field": "Device.keyword"
}
},"bucketcount": {
"stats_bucket": {
"buckets_path": "device_name._count"
}
}
}
}
}
}
搜索结果:
"aggregations": {
"customers": {
"doc_count_error_upper_bound": 0,"sum_other_doc_count": 0,"buckets": [
{
"key": "demo1",// note this
"doc_count": 2,"device_name": {
"doc_count_error_upper_bound": 0,"buckets": [
{
"key": "T2",// note this
"doc_count": 2
}
]
},"bucketcount": {
"count": 1,// note this
"min": 2.0,"max": 2.0,"avg": 2.0,"sum": 2.0
}
},{
"key": "demo2","doc_count": 2,"buckets": [
{
"key": "T1","doc_count": 1
},{
"key": "T3","doc_count": 1
}
]
},"bucketcount": {
"count": 2,"min": 1.0,"max": 1.0,"avg": 1.0,"sum": 2.0
}
}
]
}
}