我的搜索查询是从弹性数据库中获取最新的5000个文档,如下所示
{
"size": 5000,
"from": 0,
"query": {
"range" : {
"hostTimestamp" : {
"gte" : 1499674634382,
"lte" : 1499680034000
}
}
},
"sort": [
{
"hostTimestamp": {
"order": "desc"
}
}
]
}
现在,在根据此查询提取的文档中,我想要计算eventSeverity为Alert或Critical的文档。如何实现这一目标?
答案 0 :(得分:1)
您可以使用eventSeverity字段中的terms aggregation来实现这一目标:
{
"size": 5000,
"from": 0,
"query": {
"range" : {
"hostTimestamp" : {
"gte" : 1499674634382,
"lte" : 1499680034000
}
}
},
"sort": [
{
"hostTimestamp": {
"order": "desc"
}
}
],
"aggs": { <--- add this part
"severities": {
"terms": {
"field": "eventSeverity"
}
}
}
}