问题描述
我正在使用Kibana中的警报功能,我想检查字段的后5个连续值是否超过阈值x,但是如果我在弹性查询中使用过滤器,则会在前N个聚合之前应用该过滤器。
是否可以使用其他选择器或方法在之后应用过滤器或检查最后的连续值是否超过阈值?我不希望在触发条件下进行任何检查,因为这将返回ctx中的所有文档,而不仅仅是返回超出我要在警报消息中显示的阈值的文档。
我已经坚持了一段时间,我只看过博客文章说N上不可能进行子聚合,因此将不胜感激。
这是我的查询:
{
"size": 500,"query": {
"bool": {
"filter": [
{
"match_all": {
"boost": 1
}
},{
"match_phrase": {
"client.id": {
"query": "42","slop": 0,"zero_terms_query": "NONE","boost": 1
}
}
},{
"range": {
"@timestamp": {
"from": "{{period_end}}||-10m","to": "{{period_end}}","include_lower": true,"include_upper": true,"format": "epoch_millis","boost": 1
}
}
}
],"adjust_pure_negative": true,"boost": 1
}
},"aggs": {
"2": {
"terms": {
"field": "component.name","order": {
"_key": "desc"
},"size": 50
},"aggs": {
"3": {
"terms": {
"field": "client.name.keyword","order": {
"_key": "desc"
},"size": 5
},"aggs": {
"1": {
"top_hits": {
"docvalue_fields": [
{
"field": "gc.oldgen.used","format": "use_field_mapping"
}
],"_source": "gc.oldgen.used","size": 5,"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
}
}
}
}
}
}
解决方法
您是否尝试使用子过滤器聚合: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-filter-aggregation.html
或者您可以使用管道聚合来操纵聚合结果 https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-pipeline.html
顺便说一句,对客户端ID的字词查询看起来更合适。