我具有以下数据集,并且我希望根据状态进行汇总。不确定如何将状态值与被拒绝或成功进行比较,并获得结果计数。
{
"took": 4,
"timed_out": false,
"_shards": {
"total": 3,
"successful": 3,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 2874,
"max_score": 1,
"hits": [
{
"_index": "testfiles",
"_type": "testfiles",
"_id": "testfile.one",
"_score": 1,
"_source": {
"businessDate": 20171013,
"status": "Success"
}
},
{
"_index": "testfiles",
"_type": "testfiles",
"_id": "testfile.two",
"_score": 1,
"_source": {
"businessDate": 20171013,
"status": "Success"
}
},
{
"_index": "testfiles",
"_type": "testfiles",
"_id": "testfile.three",
"_score": 1,
"_source": {
"businessDate": 20171013,
"status": "Rejected"
}
},
{
"_index": "testfiles",
"_type": "testfiles",
"_id": "testfile.four",
"_score": 1,
"_source": {
"businessDate": 20171013,
"status": "Rejected"
}
}
]
}
}
有人可以帮助如何在弹性搜索聚合中实现这一目标。
预期的响应如下
"aggregations": {
"success_records": 2,
"rejected_records": 2
}
答案 0 :(得分:1)
假设status字段的类型为text,则需要将其更新为具有聚合所需的keyword类型的multi-fields。然后使用以下查询:
GET my_index/_search
{
"size": 0,
"aggs": {
"statuses": {
"terms": {
"field": "status.raw"
}
}
}
如果您已经将status作为keyword字段,则在上面的查询中将status.raw更改为status。