ElasticSearch - 如何在每个聚合桶中获得最小时间戳?

时间:2017-08-16 07:16:03

标签: elasticsearch lucene aggregation

我在ElasticSearch中有以下文档:

"ip": "192.168.10.12", "@timestamp": "2017-08-10T00:00:00.000Z", "states": "newyork", "user" : "admin"

"ip": "192.168.10.12", "@timestamp": "2017-08-10T01:25:00.000Z", "states": "California", "user" : "guest"

我尝试按用户使用Elasticsearch术语聚合 这就是我所在的地方:

{
  "size":0,
  "query":{
     "bool":{
        "must":[
           {
              "term":{
                 "user":"admin"
              }
           },
           {
              "range":{
                 "@timestamp":{
                    "gte": "2017-08-10T00:00:00.000Z",
                    "lte": "2017-08-10T04:58:00.000Z"
                 }
              }
           }
        ]
     }
  },
  "aggs":{
     "states":{
        "terms":{
           "field":"states",
            "min_doc_count":8
        }
     }
  }
}

并从查询中返回:

{
   "took": 1,
   "timed_out": false,
   "_shards": {
      "total": 1,
      "successful": 1,
      "failed": 0
   },
   "hits": {
      "total": 2,
      "max_score": 0,
      "hits": []
   },
   "aggregations": {
      "states": {
         "doc_count_error_upper_bound": 0,
         "sum_other_doc_count": 0,
         "buckets": [
            {
               "key": "New York",
               "doc_count": 200
            },
            {
               "key": "California",
               "doc_count": 10
            },

            {
               "key": "North Dakota",
               "doc_count": 125
            }
         ]
      }
   }
}

我想在每个桶中获得最小的@timestamp,

但是从回归中我可以得到每个桶“最小”@timestamp?

1 个答案:

答案 0 :(得分:1)

您只需添加min指标子聚合

即可 
  "aggs":{
     "states":{
        "terms":{
           "field":"states",
            "min_doc_count":8
        }, 
        "aggs": {
            "min_timestamp": {
               "min": {
                  "field": "@timestamp"
               }
            }   
        }
     }
  }
相关问题
最新问题