我在Ubuntu 16.04 LTS中使用的ELK版本为6.1.1。
问题陈述:
我有一些日志,每个小时都有日志。首先,我想找到该日志行中特定字段的最大值,现在我要获取该字段的值为max的日志行,并从该日志行中提取另一个字段的值并在矩阵可视化中显示。
我能够获得该字段的最大值,但是我不知道如何获取该日志行并从中提取另一个字段。
这就像数据库查询-
SELECT log2 FROM loggs WHERE field1 ='max(field1)'AND duration = 'selected_duration'
;
有人可以帮我解决问题吗?
谢谢
答案 0 :(得分:0)
GET loggs/_search
{
"size": 0,
"aggs": {
"NAMEField":{
"terms": {
"field": "field2"
}
},
"max_score": {
"max": {
"field": "field1"
}
}
},
"query": {
"range": {
"timestamp": {
"gte": "now-4d/d",
"lte": "now/d"
}
}
}
}
答案 1 :(得分:0)
您的查询应为:
GET metricbeat-*/_search
{
"size": 0,
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-15m",
"lte": "now"
}
}
}
]
}
},
"aggs": {
"allField2": {
"terms": {
"field": "field2"
}
},
"maxValue": {
"max": {
"field": "field1"
}
}
}
}
输出将是:
{
"took": 15,
"timed_out": false,
"_shards": {
"total": 65,
"successful": 65,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 1215,
"max_score": 0,
"hits": []
},
"aggregations": {
"allField2": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 80,
"buckets": [
{
"key": 0.21092499792575836,
"doc_count": 1
},
{
"key": 0.21797500550746918,
"doc_count": 1
},
{
"key": 0.22032499313354492,
"doc_count": 1
},
{
"key": 0.23864999413490295,
"doc_count": 1
},
{
"key": 0.23907500505447388,
"doc_count": 1
},
{
"key": 0.24650000035762787,
"doc_count": 1
},
{
"key": 0.24842500686645508,
"doc_count": 1
},
{
"key": 0.2488500028848648,
"doc_count": 1
},
{
"key": 0.2504250109195709,
"doc_count": 1
},
{
"key": 0.2511749863624573,
"doc_count": 1
}
]
},
"maxValue": {
"value": 3.1563000679016113
}
}
}
答案 2 :(得分:-1)
GET loggs/_search
{
"size": 0,
"aggs": {
"NAME": {
"max": {
"field": "field1"
}
}
},
"query": {
"range": {
"timestamp": {
"gte": "now-4d/d",
"lte": "now/d"
}
}
}
}