查询:
GET test5/_search
{
"size": 1,
"aggregations": {
"Location": {
"terms": {
"field": "Location"
}
}
}
}
输出:
{
"took": 5,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 19,
"max_score": 1,
"hits": [
{
"_index": "test5",
"_type": "xxxxxx",
"_id": "AVLOBXbvFe2VQdUY7tZu",
"_score": 1,
"_source": {
fired",
"Host": "N/A",
"Mac": "N/A",
"Destination IP": "xxx.xxx.xxx.xxx",
"Location": "United States",
"Events/Flows": "107",
"Asset Name": "N/A",
"Custom Rule XXXX :": "xxxxxxfp",
"User": "N/A"
}
}
]
},
"aggregations": {
"Location": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "other",
"doc_count": 11
},
{
"key": "states",
"doc_count": 2
},
{
"key": "united",
"doc_count": 2
}
]
}
}
}
你可以注意到美国被视为两把钥匙。如何让美国成为一个重要的关键?
答案 0 :(得分:1)
您需要确保Location字段为not_analyzed否则其值将被ES标记化并进行分析,以便United States成为您看到的两个标记:{{1} }和united
creating your mapping时,您需要确保states字段看起来像这样:
Location