我模仿了kibana如何进行查询搜索,并提出了以下查询。基本上,我正在寻找后6天的数据(包括那些没有数据的日子,因为我需要将其提供给图表)。但是返回的水桶不仅给我带来了更多的收益。我想了解我要在哪里拧干。
{
"version": true,
"size": 0,
"sort": [
{
"@timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"_source": {
"excludes": []
},
"aggs": {
"target_traffic": {
"date_histogram": {
"field": "@timestamp",
"interval": "1d",
"time_zone": "Asia/Kolkata",
"min_doc_count": 0,
"extended_bounds": {
"min": "now-6d/d",
"max": "now"
}
},
"aggs": {
"days_filter": {
"filter": {
"range": {
"@timestamp": {
"gt": "now-6d",
"lte": "now"
}
}
},
"aggs": {
"in_bytes": {
"sum": {
"field": "netflow.in_bytes"
}
},
"out_bytes": {
"sum": {
"field": "netflow.out_bytes"
}
}
}
}
}
}
},
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
"@timestamp",
"netflow.first_switched",
"netflow.last_switched"
],
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "( flow.src_addr: ( \"10.5.5.1\" OR \"10.5.5.2\" ) OR flow.dst_addr: ( \"10.5.5.1\" OR \"10.5.5.2\" ) ) AND flow.traffic_locality: \"private\"",
"analyze_wildcard": true,
"default_field": "*"
}
}
]
}
}
}
答案 0 :(得分:1)
如果您将range过滤器放在查询部分中,而查询中没有任何日期范围,那么将发生的是您的汇总将在所有数据上运行,而指标将按天存储在所有数据中数据。
应将range上的@timestamp查询移到query部分中,以便仅根据您想要的数据(即最近6天)计算汇总。