我正在使用“复合聚合”,因为用例要求对聚合返回的存储桶进行“分页”,因为返回的存储桶数量可能很大。
我还需要在特定时间范围内运行“复合汇总”,为此我正在使用“范围”过滤器。但是,elasticsearch的响应在“聚合”中不包含任何数据。 “ hits”数组确实包含每个过滤器正确的数据。我只对“复合聚集”的结果感兴趣。
我想念什么吗?
请求如下:
GET <my-index>/_search
{
"query" : {
"range" : {
"@timestamp" : {
"gte" : "2020-03-29T14:53:42.068Z",
"lt" : "2020-03-29T15:53:42.068Z"
}
}
},
"aggs" : {
"uniq_userids": {
"composite" : {
"size": 100,
"sources" : [
{ "by_userid": { "terms" : { "field": "userid.keyword" } } }
]
}
}
}
}
响应如下:
{
"took" : 10,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 12,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
...
]
},
"aggregations" : {
"uniq_userids" : {
"buckets" : [ ]
}
}
}
聚集元素中的预期输出
"aggregations" : {
"uniq_userids" : {
"after_key" : {
"by_userid" : "user4"
},
"buckets" : [
{
"key" : {
"by_userid" : "user1"
},
"doc_count" : 3
},
{
"key" : {
"by_userid" : "user2"
},
"doc_count" : 3
},
{
"key" : {
"by_userid" : "user3"
},
"doc_count" : 2
}
]
}
}
文档示例
{
"_index": "xxxxxxxxxxx",
"_type": "doc",
"_id": "fpFcKXEB9-HOO02nOoEG",
"_score": 1,
"_source": {
"message": "xxxxxxxxxxx",
"input": {
"type": "log"
},
"tags": [
"beats_input_codec_plain_applied"
],
"offset": 56422597,
"logday": "2020-03-29",
"userid": "user1",
"source": "xxxxxxxxxxx",
"@version": "1",
"prospector": {
"type": "log"
},
"Micro_time": "2020-03-29 14:54:01.366719",
"logtime": "14:54:01.366719",
"@timestamp": "2020-03-29T14:54:01.366Z"
}
}