问题描述
以下查询按最大不同ID数的顺序返回不同ID。我想做的是“仅包括文档总数少于2000个的ID”
{
"size": "0","query": {
"range": {
"@timestamp": {
"gte": "2020-10-20T00:00:00","lt": "2020-10-21T00:00:00"
}
}
},"aggs": {
"ids": {
"terms": {
"field": "Id.keyword","size": 1000
}
}
}
}
我尝试通过“ doc_count”添加过滤器,但这没有帮助。我该怎么做?
解决方法
您可以使用bucket_selector aggregation
来过滤存储分区桶选择器聚合是父管道聚合,它执行一个脚本来确定 当前存储桶是否将保留在父多存储桶中 聚集。
{
"size": "0","query": {
"range": {
"@timestamp": {
"gte": "2020-10-20T00:00:00","lt": "2020-10-21T00:00:00"
}
}
},"aggs": {
"ids": {
"terms": {
"field": "Id.keyword","size": 1000
},"aggs": {
"count_filter": {
"bucket_selector": {
"buckets_path": {
"values": "_count"
},"script": "params.values < 2000" <-- note this
}
}
}
}
}
}