我将一些数据放入elasticsearch中。映射如下:
"@timestamp": { "index": "not_analyzed", "type": "date"},
"ROUTER" : { "type" : "integer", "index" : "not_analyzed"},
"IN_IFACE" : { "type" : "integer", "index" : "not_analyzed"},
"OUT_IFACE" : { "type" : "integer", "index" : "not_analyzed"},
"SRC_MAC" : { "type" : "long", "index" : "not_analyzed"},
"DST_MAC" : { "type" : "long", "index" : "not_analyzed"},
"SRC_IP" : { "type" : "ip", "index" : "not_analyzed"},
"DST_IP" : { "type" : "ip", "index" : "not_analyzed"},
"BYTES" : { "type" : "long", "index" : "not_analyzed" },
"PACKETS" : { "type" : "long", "index" : "not_analyzed" }
时间戳是1454256000到1454342400。
他们应该代表从2016/02/01 00:00:00到2016/02/01 23:55:00的时间。
但是当我使用下面的查询进行搜索时。回报不是我想要的。
curl -XPOST "127.0.0.1:9200/sflow_1454256000/sflow/_search?pretty" -d '
{
"size":0,
"query": {
"filtered":{
"filter":{
"bool":{
"must":[
{"term":{"ROUTER":10002}},
{"term":{"IN_IFACE":2}}
]
}
}
}
},
"aggs": {
"by_minute": {
"date_histogram": {
"field": "@timestamp",
"interval": "5m"
},
"aggs": {
"sum_bytes": {
"sum": {
"field": "BYTES"
}
}
}
}
}
}'
{
"took" : 459,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"failed" : 0
},
"hits" : {
"total" : 1150167,
"max_score" : 0.0,
"hits" : [ ]
},
"aggregations" : {
"by_minute" : {
"buckets" : [ {
"key_as_string" : "1970-01-17T19:55:00.000Z",
"key" : 1454100000,
"doc_count" : 1150167,
"sum_bytes" : {
"value" : 3.450522575E9
}
} ]
}
}
}
你可以看到我希望每5分钟将值放入一个桶中。但现在看来所有数据都落入一个桶中,时间也不合适。
任何人都能告诉我为什么好吗?
答案 0 :(得分:1)
您显然正在索引时间/ 1000
1454256000/1000 = 1454256 -> Sat, 17 Jan 1970 19:57:36 GMT
1454342400/1000 = 1454342 -> Sat, 17 Jan 1970 19:59:02 GMT
这就是为什么它们都属于同一个桶1970-01-17T19:55:00.000Z,与您的日期间隔/ 1000相对应