我无法在特定日期范围内执行嵌套聚合。
理想情况下,我希望获得前一天和当天的两个字段的%值。这是JSON(这是弹性观察者的一部分,而不是整个配置):
{
"metadata":{
"threshold":5,
"interval":"2m",
"window":"2d"
},
"trigger":{
"schedule":{
"interval":"2m"
}
},
"input":{
"search":{
"request":{
"indices":[
"filebeat-*"
],
"types":[
"doc"
],
"body": {
"aggs": {
"aggs1": {
"range": {
"date_range": {
"ranges": [
{
"from": "now-2d/d"
},
{
"to": "now-2d/d"
}
]
},
"aggs": {
"max": {
"script": {
"source": "(doc['upstream'].value\/100)"
}
}
}
}
},
"aggs2": {
"range": {
"date_range": {
"ranges": [
{
"from": "now-2d/d"
},
{
"to": "now-2d/d"
}
]
}
},
"aggs": {
"max": {
"script": {
"source": "(doc['downstream'].value\/100)"
}
}
}
},
"aggs3": {
"range": {
"date_range": {
"ranges": [
{
"from": "now-1d/d"
},
{
"to": "now/d"
}
]
}
},
"aggs": {
"max": {
"script": {
"source": "(doc['upstream'].value\/100)"
}
}
}
},
"aggs4": {
"range": {
"date_range": {
"ranges": [
{
"from": "now-1d/d"
},
{
"to": "now/d"
}
]
}
},
"aggs": {
"max": {
"script": {
"source": "(doc['downstream'].value\/100)"
}
}
}
}
},
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"lte": "now",
"gte": "now-{{ctx.metadata.window}}"
}
}
}
}
}
}
}
}
}
}
我想要的是为当天和前一天的两个字段设置4个值,以便我可以获得值之间的差异以便进一步处理。
感谢。