感谢我的弹性搜索索引的奇妙Kibana前端,我能够构建一个查询,在特定的时间跨度内记录每小时的记录数:
{
"facets": {
"0": {
"date_histogram": {
"field": "@timestamp",
"interval": "1h"
},
"global": true,
"facet_filter": {
"fquery": {
"query": {
"filtered": {
"query": {
"query_string": {
"query": "*"
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": "2014-08-01T07:00:00.000Z",
"to": "2014-09-01T06:59:59.999Z"
}
}
},
{
"fquery": {
"query": {
"query_string": {
"query": "tags:\"solr_search\""
}
},
"_cache": true
}
}
]
}
}
}
}
}
}
}
},
"size": 0
}'
这给了我输出:
{
"took" : 27,
"timed_out" : false,
"_shards" : {
"total" : 155,
"successful" : 155,
"failed" : 0
},
"hits" : {
"total" : 267366,
"max_score" : 0.0,
"hits" : [ ]
},
"facets" : {
"0" : {
"_type" : "date_histogram",
"entries" : [ {
"time" : 1406876400000,
"count" : 120
}, {
"time" : 1406880000000,
"count" : 115
}, {
"time" : 1406883600000,
"count" : 134
}, {
"time" : 1406887200000,
"count" : 87
}, {
"time" : 1406890800000,
"count" : 99
}, {
"time" : 1406894400000,
"count" : 141
}, {
"time" : 1406898000000,
"count" : 168
}, {
"time" : 1406901600000,
"count" : 300
}, {
"time" : 1406905200000,
"count" : 782
}, {
"time" : 1406908800000,
"count" : 1085
}, {
并且(再次使用Kibana的帮助)我可以针对一个特定的时间段,使用如下查询获得搜索次数最多的前10个列表:
{
"facets": {
"terms": {
"terms": {
"field": "searchstring.raw",
"size": 10,
"order": "count",
"exclude": []
},
"facet_filter": {
"fquery": {
"query": {
"filtered": {
"query": {
"bool": {
"should": [
{
"query_string": {
"query": "*"
}
}
]
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": 1406876400000,
"to": 1406880000000
}
}
},
{
"fquery": {
"query": {
"query_string": {
"query": "tags:\"solr_search\""
}
},
"_cache": true
}
}
]
}
}
}
}
}
}
}
},
"size": 0
}'
结果如下:
{
"took" : 56,
"timed_out" : false,
"_shards" : {
"total" : 155,
"successful" : 155,
"failed" : 0
},
"hits" : {
"total" : 267366,
"max_score" : 0.0,
"hits" : [ ]
},
"facets" : {
"terms" : {
"_type" : "terms",
"missing" : 0,
"total" : 120,
"other" : 86,
"terms" : [ {
"term" : "term1",
"count" : 11
}, {
"term" : "term2",
"count" : 4
}, {
"term" : "term3",
"count" : 3
}, {
"term" : "term4",
"count" : 3
}, {
"term" : "term5",
"count" : 3
}, {
"term" : "term6",
"count" : 2
}, {
"term" : "term7",
"count" : 2
}, {
"term" : "term8",
"count" : 2
}, {
"term" : "term9",
"count" : 2
}, {
"term" : "term10",
"count" : 2
} ]
}
}
}
我想要做的是:对于第一个查询输出中的每个时间段,拉出该时间段的前10个术语并将其放入每个时间段的输出中 。我对弹性搜索查询语言还是比较新的,到目前为止我在合并这两个查询时的尝试已经火上浇油。如果有人有任何指示我会很感激。
答案 0 :(得分:0)
我最终放弃了facets方法以获得更新的聚合语法。这是最终归还我想要的东西:
{
"query": {
"filtered": {
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": "2014-08-01T00:00:00.000Z",
"to": "2014-09-01T00:00:00.000Z"
}
}
},
{
"fquery": {
"query": {
"query_string": {
"query": "tags:\"solr_search\""
}
},
"_cache": true
}
}
]
}
}
}
},
"aggs": {
"searches_per_hour": {
"date_histogram" : {
"field": "@timestamp",
"interval": "1h",
"format": "yyyy-MM-dd ha"
},
"aggs": {
"top_search_terms": {
"terms": {
"field": "searchstring.raw",
"size": 10,
"shard_size": 300
}
}
}
}
}
}
这可能会缩短其他人未来的工作日:)