问题描述
我想知道是否可以这样做。假设我有一个testindex的以下映射:
{
"properties": {
"datetime": {
"type": "date"
},"datetime_range": {
"type": "date_range"
},"devname": {
"type": "keyword"
},"group": {
"type": "keyword"
},"my_join_field": {
"type": "join","eager_global_ordinals": true,"relations": {
"startevent": "traffic"
}
},"new_rcvdbyte": {
"type": "long"
},"new_sentbyte": {
"type": "long"
},"rcvdbyte": {
"type": "long"
},"sentbyte": {
"type": "long"
},"tunnelid": {
"type": "keyword"
},"user": {
"type": "keyword"
}
}
}
其中包含以下示例文档:
[{
"user": "someuser","devname": "somedevice","datetime_range": {
"gte": "2020-10-21T15:50:57","lte": "2020-10-21T16:50:57"
},"my_join_field": "startevent"
},{
"user": "someuser","group": "somegroup","datetime": "2020-10-21T15:52:57","sentbyte": 123,"rcvdbyte": 456,"new_sentbyte": 123,"new_rcvdbyte": 456,"my_join_field": {
"name": "traffic","parent": "1"
}
},"datetime": "2020-10-21T15:54:57","sentbyte": 246,"rcvdbyte": 912,"parent": "1"
}]
我希望能够汇总这些文档,使输出类似于以下内容:
{
"user" : "someuser","devname" : "somedevice","datetime_range" : {
"gte" : "2020-10-21T15:50:57","lte" : "2020-10-21T16:50:57"
},"new_sentbyte_sum": 246,"new_rcvdbyte_sum": 912
}
我最多想出的是在inner_hits中使用has_child,但这并不能解决sum和{子文档中包含{1}}个字段。
注意:请注意,它不像使用常规
new_rcvdbyte或new_sentbyte字段那样简单,因为我将通过过滤rcvdbytesentbyte间隔。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)