我的弹性搜索映射如下
[
{
"runTimeMilliSeconds": {
"type": "long"
},
"syslogMessage": {
"properties": {
"DATE": {
"type": "string"
},
"FACILITY": {
"type": "string"
},
"FILE_NAME": {
"type": "string"
},
"HOST": {
"type": "string"
},
"HOST_FROM": {
"type": "string"
},
"ISODATE": {
"type": "date",
"format": "dateOptionalTime"
},
"LEGACY_MSGHDR": {
"type": "string"
},
"MESSAGE": {
"type": "string"
},
"PID": {
"type": "string"
},
"PRIORITY": {
"type": "string"
},
"PROGRAM": {
"type": "string"
},
"SOURCE": {
"type": "string"
}
}
}
}
]
现在我想找出最后六个小时的数据,所以我写下面的查询
{
"query": {
"match_all": {
}
},
"aggs": {
"last_6_hours": {
"filter": {
"range": {
"ISODATE": {
"gte": "now-6h",
"lte": "now"
}
}
},
"aggs": {
"date_wise_logs_counts": {
"date_histogram": {
"field": "ISODATE",
"interval": "1h"
}
}
}
}
}
}
我返回结果如下
{
"aggregations": {
"last_6_hours": {
"doc_count": 1933,
"date_wise_logs_counts": {
"buckets": [
{
"key_as_string": "2015-02-10T04: 00: 00.000Z",
"key": 1423540800000,
"doc_count": 342
},
{
"key_as_string": "2015-02-10T05: 00: 00.000Z",
"key": 1423544400000,
"doc_count": 1591
}
]
}
}
}
}
但是我的问题是我想找出最大和最小时间,例如在上面的输出doc_count = 342
中,所以我想要从这个计数产生的日期开始,所以我想要的输出如下
{
"aggregations": {
"last_6_hours": {
"doc_count": 1933,
"date_wise_logs_counts": {
"buckets": [
{
"key_as_string": "2015-02-10T04: 00: 00.000Z",
"key": 1423540800000,
"doc_count": 342,
"max": 1423540800000,
"min": 1423537239000
},
{
"key_as_string": "2015-02-10T05: 00: 00.000Z",
"key": 1423544400000,
"doc_count": 1591,
"max": 1423544400000,
"min": 1423540800000
}
]
}
}
}
}
从上面的输出中我预测doc_count = 342
来自1423540800000
到1423537239000
的时间内向。我使用弹性搜索版本1.4.0