我有像
这样的Elasticsearch文档2017-10-30T22:31:32 {"msg":"start","query_id":"d84c4772","details":"sometext"}
2017-10-30T22:31:33 {"msg":"end", "query_id":"d84c4772","duration":"0.512"}
每对代表某个过程的开始和结束。 query_id是每对的唯一值(即,在所有文档中应该只有两次,例如这里缩短了)
如何找到(使用Elasticsearch)破坏的对,即第二对(或第一对)丢失的文档?
更新:这是_search中文档的样子:
{
"_index" : "dump_log",
"_type" : "default",
"_id" : "AV9vm0W3E9w_DiFlsabN",
"_score" : 1.0,
"_source" : {
"@timestamp" : "2017-10-30T06:25:02.355381",
"@message" : {
"msg" : "end",
"query_id" : "d84c4772",
"duration" : "0.512"
}
}
},
{
"_index" : "dump_log",
"_type" : "default",
"_id" : "AV9vm0W3E9w_DiFlsabO",
"_score" : 1.0,
"_source" : {
"@timestamp" : "2017-10-30T06:25:02.356364",
"@message" : {
"details" : "sometext",
"query_id" : "d84c4772",
"msg" : "start"
}
}
}
答案 0 :(得分:0)
我的简单和最佳方法是在 [object]$paramObj=Get-Content "PowerShellModuleProject1\parameter2.json"|ConvertFrom-Json
$userName =$paramObj.userName
$password =$paramObj.password
$webAppName =$paramObj.webAppName
$resourceGroup=$paramObj.resourceGroup
[object[]]$webJobs=$paramObj.webJobs
foreach($wj in $webjobs){
if($wj.typeName -eq "continuous")
{
Invoke-AzureRmResourceAction -ResourceGroupName $resourceGroup -ResourceType Microsoft.Web/sites/ContinuousWebJobs -ResourceName "$webAppName/$($wj.name)" -Action start -ApiVersion 2015-08-01 -Force
Write-Host "continuous"
Write-Host $wj.name
}
else{
Invoke-AzureRmResourceAction -ResourceGroupName $resourceGroup -ResourceType Microsoft.Web/sites/TriggeredWebJobs -ResourceName "$webAppName/$($wj.name)" -Action run -ApiVersion 2015-08-01 -force
Write-Host "triggered"
Write-Host $wj.name
}
}
上按query_id的升序汇总每个广告位:
_count您将获得每个{
"size": 0,
"aggregations":{
"queries":{
"terms":{
"field": "query_id",
"order":{
"_count": "asc"
},
"size": 10
}
}
}
}
的有序桶列表。
因为它按升序排序,所以第一个桶会有(如果有破坏的对)query_id。
如果有超过10个破损对,您需要增加大小以查看更多破损对。
如果您希望实际看到损坏的文档,请使用Top Hits聚合:
"doc_count" : 1