弹性搜索:在聚合中选择多个值

时间:2017-06-22 07:24:09

标签: elasticsearch

在弹性搜索中,我有以下带有'allocated_bytes','total_bytes'和其他字段的索引:

{
  "_index" : "metrics-blockstore_capacity-2017_06",
  "_type" : "datapoint",
  "_id" : "AVzHwgsi9KuwEU6jCXy5",
  "_score" : 1.0,
  "_source" : {
    "timestamp" : 1498000001000,
    "resource_guid" : "2185d15c-5298-44ac-8646-37575490125d",
    "allocated_bytes" : 1.159196672E9,
    "resource_type" : "machine",
    "total_bytes" : 1.460811776E11,
    "machine" : "2185d15c-5298-44ac-8646-37575490125d"
  }

我有以下查询 1)使用日期直方图得到30分钟间隔的点 2)在resource_guid上按字段分组。 3)max aggregate找到最大值。 

{
  "size": 0,
  "query": {
    "bool": {
  "must": [
    {
      "range": {
        "timestamp": {
          "gte": 1497992400000,
          "lte": 1497996000000
        }
      }
    }
  ]
}
},
"aggregations": {
"groupByTime": {
  "date_histogram": {
    "field": "timestamp",
    "interval": "30m",
    "order": {
      "_key": "desc"
    }
  },
  "aggregations": {
    "groupByField": {
      "terms": {
        "size": 1000,
        "field": "resource_guid"
      },
      "aggregations": {
        "maxValue": {
          "max": {
            "field": "allocated_bytes"
          }
         }
      }
    },
    "sumUnique": {
      "sum_bucket": {
        "buckets_path": "groupByField>maxValue"
      }
    }
  }
}

} }

但是使用这个查询我只能得到allocated_bytes,但我需要在结果点同时使用allocated_bytes和total_bytes。

以下是上述查询的结果:

{
    "key_as_string" : "2017-06-20T21:00:00.000Z",
    "key" : 1497992400000,
    "doc_count" : 9,
    "groupByField" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [ {
        "key" : "2185d15c-5298-44ac-8646-37575490125d",
        "doc_count" : 3,
        "maxValue" : {
          "value" : 1.156182016E9
        }
      }, {
        "key" : "c3513cdd-58bb-4f8e-9b4c-467230b4f6e2",
        "doc_count" : 3,
        "maxValue" : {
          "value" : 1.156165632E9
        }
      }, {
        "key" : "eff13403-9737-4d08-9dca-fb6c12c3a6fa",
        "doc_count" : 3,
        "maxValue" : {
          "value" : 1.156182016E9
        }
      } ]
    },
    "sumUnique" : {
      "value" : 3.468529664E9
    }
  }

我确实需要allocated_bytes和total_bytes。如何为每个点获取多个字段(allocated_bytes,total_bytes)?

例如:

"sumUnique" : {
      "Allocatedvalue" : 3.468529664E9,
      "TotalValue" : 9.468529664E9
    }

或者像这样:

"allocatedBytessumUnique" : {
      "value" : 3.468529664E9
    }
"totalBytessumUnique" : {
      "value" : 9.468529664E9
    },

1 个答案:

答案 0 :(得分:0)

您只需添加其他聚合:

{
  "size": 0,
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "timestamp": {
              "gte": 1497992400000,
              "lte": 1497996000000
            }
          }
        }
      ]
    }
  },
  "aggregations": {
    "groupByTime": {
      "date_histogram": {
        "field": "timestamp",
        "interval": "30m",
        "order": {
          "_key": "desc"
        }
      },
      "aggregations": {
        "groupByField": {
          "terms": {
            "size": 1000,
            "field": "resource_guid"
          },
          "aggregations": {
            "maxValueAllocated": {
              "max": {
                "field": "allocated_bytes"
              }
            },
            "maxValueTotal": {
              "max": {
                "field": "total_bytes"
              }
            }
          }
        },
        "sumUniqueAllocatedBytes": {
          "sum_bucket": {
            "buckets_path": "groupByField>maxValueAllocated"
          }
        },
        "sumUniqueTotalBytes": {
          "sum_bucket": {
            "buckets_path": "groupByField>maxValueTotal"
          }
        }
      }
    }
  }
}

我希望您知道sum_bucket仅计算兄弟聚合,在这种情况下给出最大值的总和,而不是total_bytes的总和。如果您想获得total_bytes的总和,可以使用sum aggregation

相关问题
最新问题