我正在试图获取一个特定地址的所有日志,并按子字段(context.id)对它们进行分组,但我遇到了问题。我尝试了嵌套聚合等等。但我没有运气。我使用PHP库,因此我将查询编写为php数组。一切正常,直到添加聚合查询。
异常抛出是:
illegal_state_exception: Field data loading is forbidden on [context.id]
$params = [
'index' => 'logstash-*',
'type' => 'INFO',
'body' => [
'query' => [
'bool' => [
"must" => [
["term" => ["tags" => "producer"]],
["term" => ["tags" => "statistics"]],
["term" => ["message" => "view"]],
],
"filter" => [
"geo_distance" => [
"distance" => "10km",
"distance_type" => "plane",
"geoip.location" => [
"lat" => 40.4326058,
"lon" => -3.6996032
]
]
]
]
],
"aggs" => [
"context" => [
"nested" => [
"path" => "context"
],
"aggs" => [
"group_by_id" => [
"terms" => ["field" => "context.id"]
]
]
]
],
]
];
有人能指出我正确的查询吗?
答案 0 :(得分:0)
最后,这里的问题是这个领域。这是一个索引字段,我需要使用“context.id.raw”字段。