我有以下索引的架构: -
PUT
"mappings": {
"event": {
"properties": {
"@timestamp": { "type": "date", "doc_values": true},
"partner_id": { "type": "integer", "doc_values": true},
"event_id": { "type": "integer", "doc_values": true},
"count": { "type": "integer", "doc_values": true, "index": "no" },
"device_id": { "type": "string", "index":"not_analyzed","doc_values":true }
"product_id": { "type": "integer", "doc_values": true},
}
}
}
我需要等同于以下查询的结果: -
SELECT product_id, device_id, sum(count) FROM index WHERE partner_id=5 AND timestamp<=end_date AND timestamp>=start_date GROUP BY device_id,product_id having sum(count)>1;
我可以通过以下弹性查询来实现结果: -
GET
{
"store": true,
"size":0,
"aggs":{
"matching_events":{
"filter":{
"bool":{
"must":[
{
"term":{
"partner_id":5
}
},
{
"range":{
"@timestamp":{
"from":1470904000,
"to":1470904999
}
}
}
]
}
},
"aggs":{
"group_by_productid": {
"terms":{
"field":"product_id"
},
"aggs":{
"group_by_device_id":{
"terms":{
"field":"device_id"
},
"aggs":{
"total_count":{
"sum":{
"field":"count"
}
},
"sales_bucket_filter":{
"bucket_selector":{
"buckets_path":{
"totalCount":"total_count"
},
"script": {"inline": "totalCount > 1"}
}
}
}
}}
}
}
}
}
}'
但是对于count is <=1
查询返回空桶的情况,其中键为product_id
。现在有超过40万个群体,只有100k会满足条件,所以我返回了巨大的结果集,其中大部分是没用的。如何在聚合后仅选择特定字段?我试过这个但不工作 - “”字段“:[”aggregations.matching_events.group_by_productid.group_by_device_id.buckets.key“]
修改
我有以下数据集: -
device id Partner Id Count
db63te2bd38672921ffw27t82 367 3
db63te2bd38672921ffw27t82 272 1
我输出这个: -
{
"took":6,
"timed_out":false,
"_shards":{
"total":5,
"successful":5,
"failed":0
},
"hits":{
"total":7,
"max_score":0.0,
"hits":[
]
},
"aggregations":{
"matching_events":{
"doc_count":5,
"group_by_productid":{
"doc_count_error_upper_bound":0,
"sum_other_doc_count":0,
"buckets":[
{
"key":367,
"doc_count":3,
"group_by_device_id":{
"doc_count_error_upper_bound":0,
"sum_other_doc_count":0,
"buckets":[
{
"key":"db63te2bd38672921ffw27t82",
"doc_count":3,
"total_count":{
"value":3.0
}
}
]
}
},
{
"key":272,
"doc_count":1,
"group_by_device_id":{
"doc_count_error_upper_bound":0,
"sum_other_doc_count":0,
"buckets":[
]
}
}
]
}
}
}
}
正如您所看到的,带有密钥272的存储桶是空的,这是有意义的,但是不应该从结果集中删除此存储桶吗?
答案 0 :(得分:1)
我刚发现有一个相当新的问题和PR会在_bucket_count
选项中添加buckets_path
路径,以便聚合可以根据另一个聚合具有的桶数。换句话说,如果父{1}} _bucket_count
为0,则应删除该存储桶。
这是github问题:https://github.com/elastic/elasticsearch/issues/19553