我刚刚使用过Elastic Search。
我想使用group by两次完成此查询。
这是我的弹性搜索查询组由srcM在 通常这样做。
但我的java代码不正确。 这是我的java代码。 我想看。 srcip:~~ / srcMac:~~ / sum:~~
怎么了?{
"query": {
"range": {
"@timestamp": {
"gte": "now-7d/d",
"lte": "now/d"
}
}
},
"size": 0,
"aggs": {
"id1_count": {
"terms": {
"field": "srcip"
},
"aggs": {
"id2_count": {
"terms": {
"field": "srcMac"
}
},
"aggs": {
"sum": {
"script": "doc['rcvd'].value + doc['sent'].value"
}
}
}
}
}
}
TermsAggregationBuilder termagg2 = AggregationBuilders.terms("id2_count").field("srcMac")
// add the sum sub-aggregation
.subAggregation(aggregation);
TermsAggregationBuilder termagg = AggregationBuilders.terms("aggs").field("srcip").size(10)
// add the second-level terms sub-aggregation
.subAggregation(termagg2);
SearchResponse sr = client.prepareSearch("coreit").setTypes("doc")
.setQuery(qb)
.addAggregation(termagg)
.execute().actionGet();
Terms terms = sr.getAggregations().get("aggs");
for (Terms.Bucket bucket : terms.getBuckets()) {
long cnt =bucket.getDocCount() ;
Sum agg = bucket.getAggregations().get("agg");
System.out.println(bucket.getKey()+" / cnt : "+cnt + " : sum : "+agg.getValue() );
}
Terms terms2 = sr.getAggregations().get("aggs");
for (Terms.Bucket bucket2 : terms2.getBuckets()) {
System.out.println(bucket2.getKey());
} << I think this part is error
答案 0 :(得分:0)
你几乎就在那里,你只需要正确构建你的聚合:
// build the inner-most sum aggregation
SumAggregationBuilder aggregation = AggregationBuilders.sum("agg").script(sct);
// build the second-level terms aggregation on srcMac
TermsAggregationBuilder termagg2 = AggregationBuilders.terms("id2_count")
.field("srcMac")
// add the sum sub-aggregation
.subAggregation(aggregation);
// build the top-level terms aggregation
TermsAggregationBuilder termagg = AggregationBuilders
.terms("aggs")
.field("srcip")
.size(10)
// add the second-level terms sub-aggregation
.subAggregation(termagg2);