我需要在单个查询中找到一个字段。我已设法在特定日期时间范围内对特定字段求和。 我尝试使用聚合查询来获取特定日期时间范围内的字段总数,但获取总值为0
我的文档json看起来如下:
{
"_index": "flow-2018.02.01",
"_type": "doc",
"_source": {
"@timestamp": "2018-02-01T01:02:40.701Z",
"dest": {
"ip": "120.119.37.237",
"mac": "d4:6d:50:21:f8:44",
"port": 3280
},
"final": true,
"flow_id": "EQQA////DP//////FP8BAAFw5CIXZxTUbVAh+ERn/7FMeHcl7S6z0Aw",
"last_time": "2018-02-01T01:01:48.349Z",
"source": {
"ip": "100.255.177.76",
"mac": "70:e4:30:15:67:14",
"port": 45870,
"stats": {
"bytes_total": 60,
"packets_total": 1
}
},
"start_time": "2018-02-01T01:01:48.349Z",
"transport": "tcp",
"type": "flow"
},
"fields": {
"start_time": [
1517446908349
],
"@timestamp": [
1517446960701
],
"last_time": [
1517446908349
]
},
"sort": [
1517446960701
]
}
我的搜索查询:
{
"size":0,
"query":{
"bool":{
"must":[
{
"range":{
"_source.@timestamp":{
"gte": "2018-02-01T01:00:00.000Z",
"lte": "2018-02-01T01:05:00.000Z"
}
}
}
]
}
},
"aggs":{
"total":{
"sum":{
"field":"stats.packets_total "
}
}
}
}
请帮我解决这个问题。谢谢
答案 0 :(得分:0)
你几乎就在那里,stats.packets_total应该是source.stats.packets_total(并确保删除字段名称末尾的空格),如下所示:
{
"size":0,
"query":{
"bool":{
"must":[
{
"range":{
"@timestamp":{
"gte": "2018-02-01T01:00:00.000Z",
"lte": "2018-02-01T01:05:00.000Z"
}
}
}
]
}
},
"aggs":{
"total":{
"sum":{
"field":"source.stats.packets_total"
}
}
}
}