如何在Elasticsearch中组合多个aggs?

时间:2018-07-10 01:40:54

标签: elasticsearch elasticsearch-aggregation

我想计算一天中每种产品的每个IP访问计数。

一个索引(nginx-access-log)中包含三个参数:

  • 时间戳
  • clientip
  • product_id

我知道date_histogram可以引用https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-datehistogram-aggregation.html

计数可以参考https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-cardinality-aggregation.html#_precision_control

但是我不知道如何结合aggs来构建脚本。

更新:

我使用以下脚本进行搜索

GET log-nginx_access*/_search 
{
  "aggs": {
    "by_day": {
      "date_histogram": {
        "field": "timestamp",
        "interval": "1d",
        "time_zone": "Asia/Shanghai",
        "min_doc_count": 1
      },
      "aggs": {
        "by_product": {
          "terms": {
            "field": "uri_args.product_id",
            "size": 100
          }
        },
        "aggs": {
          "by_ip": {
            "terms": {
              "field": "clientip"
            }
          }
        }
      }
    }
  }
}

得到错误:

{
  "error": {
    "root_cause": [
      {
        "type": "unknown_named_object_exception",
        "reason": "Unknown BaseAggregationBuilder [by_ip]",
        "line": 18,
        "col": 20
      }
    ],
    "type": "unknown_named_object_exception",
    "reason": "Unknown BaseAggregationBuilder [by_ip]",
    "line": 18,
    "col": 20
  },
  "status": 400
}

1 个答案:

答案 0 :(得分:1)

也许我们可以使用termsdate_histogram聚合

参考:https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html 

GET /{index_name}
{  
  "aggs": {
    "by_day": {
      "date_histogram": {
        "field" : "timestamp",
        "interval" : "day"
      },
      "aggs": {
        "by_product": {
          "terms" : {
            "field" : "product",
            "size": 100 // 100 unique products will be aggregated
          },
          "aggs": {
            "by_ip": {
              "terms" : {
                "field" : "ip"
              }
            }
          }
        }            
      }
    }
  }
}

terms聚合的响应中有doc_count字段,可能满足您的要求。我们必须考虑的一件事是size参数,以定义聚合的唯一性。

相关问题
最新问题