我对DSL非常陌生,目前我正在努力尝试执行复合SQL,例如" Group By"在我的弹性搜索索引中的多个字段上。我从www.elastic.co上的参考文档中了解到,术语聚合不支持从同一文档中的多个字段中收集术语
为克服此限制而给出的两个选项是Script或Copy_to字段
在我使用脚本或Copy_to请求意见/解决方案之前,我想了解我是否已经用尽所有其他选项。
成功运行的当前代码是:
query_result = {"query":{
"bool": {
"must": [{"range": {"flStDttmEst": {"gte":"2017-06-20 10:00:00","lte":"2017-06-20 11:55:00",}}},
],
"filter": [
{"terms": {"proto": ["6","17"]}},
{"terms": {"dstAd": ["165.130.217.", "165.130.217.","165.130.217.","165.130.217.","165.130.217." ]}}
],
}
},
"aggregations":{
"SumPKTSaggs":{
"date_histogram":{"field":"flStDttmEst","interval":"hour","format":"yyyy-MM-dd HH:mm:ss"},
"aggs":{"SumPkts":{
"sum":{"field":"smPkts"}}}},
"SumACKaggs":{
"date_histogram":{"field":"flStDttmEst","interval":"hour","format":"yyyy-MM-dd HH:mm:ss"},
"aggs":{"SumACK":{
"sum":{"field":"smACK"}}}}
}
}
return
JSON和Python Dataframe的输出是:
{
"SumACKaggs": {
"buckets": [
{
"SumACK": {
"value": 23721.0
},
"doc_count": 19493,
"key": 1497952800000,
"key_as_string": "2017-06-20 10:00:00"
},
{
"SumACK": {
"value": 23530.0
},
"doc_count": 19441,
"key": 1497956400000,
"key_as_string": "2017-06-20 11:00:00"
}
]
},
"SumPKTSaggs": {
"buckets": [
{
"SumPkts": {
"value": 1310745.0
},
"doc_count": 19493,
"key": 1497952800000,
"key_as_string": "2017-06-20 10:00:00"
},
{
"SumPkts": {
"value": 1308840.0
},
"doc_count": 19441,
"key": 1497956400000,
"key_as_string": "2017-06-20 11:00:00"
}
]
}
}
time SumOfPkts SumOfACKs
0 2017-06-20 10:00:00 1310745.0 23721.0
1 2017-06-20 11:00:00 1308840.0 23530.0
然而,我的最终目标是不仅将时间用作"组。聚合以及其他变量,如proto和dstAd。
请指教并非常感谢您的时间!!
史蒂夫