根据文档,您可以在类型为关键字或非文本字段或在索引映射中将 fielddata 设置为true的字段上运行ElasticSearch聚合。 / p>
我正在尝试在nginx日志中计算 city_names 。它可以与int字段 result 一起使用。但是,即使我更新了索引映射以放置 fielddata = true ,它也不适用于city_name字段。 不需要,因为它的类型为关键字。
说它不起作用意味着:
"aggregations" : {
"cities" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [ ]
}
}
这是字段映射:
"city_name" : {
"type" : "text",
"fielddata" : true
},
这是侵略性查询:
curl -XGET --user $pwd --header 'Content-Type: application/json' https://58571402f5464923883e7be42a037917.eu-central-1.aws.cloud.es.io:9243/logstash/_search?pretty -d '{
"aggs" : {
"cities": {
"terms" : { "field": "city_name"}
}
}
}'
答案 0 :(得分:1)
如果执行搜索时没有任何错误,则似乎更像是数据问题。您是否确定至少有一个文档填写了 city_name 字段?
我试图通过ElasticSearch 6.6.2重现您的问题。
我创建了一个索引
PUT cities
{
"mappings": {
"city": {
"dynamic": "true",
"properties": {
"id": {
"type": "long"
},
"city_name": {
"type": "text",
"fielddata": true
}
}
}
}
}
我添加了一个没有city_name的文档
PUT cities/city/1
{
"id": "1"
}
当我执行搜索时:
GET cities/_search
{
"aggs": {
"cities": {
"terms" : { "field": "city_name"}
}
}
}
在城市聚合中我没有水桶。但是当我添加一个城市名称填满的文档时:
PUT cities/city/2
{
"id": "2",
"city_name": "London"
}
我得到了预期的结果:
{
"took" : 3,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 2,
"max_score" : 1.0,
"hits" : [
{
"_index" : "cities",
"_type" : "city",
"_id" : "2",
"_score" : 1.0,
"_source" : {
"id" : "2",
"city_name" : "london"
}
},
{
"_index" : "cities",
"_type" : "city",
"_id" : "1",
"_score" : 1.0,
"_source" : {
"id" : "1"
}
}
]
},
"aggregations" : {
"cities" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "london",
"doc_count" : 1
}
]
}
}
}