与前一天相比，每天计数的差值（差异）

Question

我是ELK Stack的新手。我正在Kibana仪表板上工作，以查找与前一天相比每天计数的差异。因此，我们可以知道与前一天相比，每天的销售额有多少增长

供参考：Present Dashboard 编写查询以查找每个日期的计数以及存储有版本号的存储桶。

我的查询：

{
  "aggs": {
    "2": {
      "date_histogram": {
        "field": "install_date",
        "interval": "1d",
        "time_zone": "America/New_York",
        "min_doc_count": 1
      },
      "aggs": {
        "3": {
          "terms": {
            "field": "version.keyword",
            "size": 50,
            "order": {
              "_key": "desc"
            },
            "script": "( _value.indexOf('-') > 0 ? _value.substring(0, _value.indexOf('-')+2) : _value )"
          },
          "aggs": {
            "1": {
              "sum_bucket": {
                "buckets_path": "1-bucket>_count"
              }
            },
            "1-bucket": {
              "date_histogram": {
                "field": "install_date",
                "interval": "1d",
                "time_zone": "America/New_York",
                "min_doc_count": 1
              }
            }
          }
        }
      }
    }
  },
  "size": 0,
  "_source": {
    "excludes": []
  },
  "stored_fields": [
    "*"
  ],
  "script_fields": {},
  "docvalue_fields": [
    {
      "field": "deploy_date_asset_tag",
      "format": "date_time"
    },
    {
      "field": "deploy_date_localtime",
      "format": "date_time"
    },
    {
      "field": "install_date",
      "format": "date_time"
    },
    {
      "field": "timestamp",
      "format": "date_time"
    },
    {
      "field": "ui_legacy_access",
      "format": "date_time"
    },
    {
      "field": "ui_satori_access",
      "format": "date_time"
    }
  ],
  "query": {
    "bool": {
      "must": [
        {
          "match_all": {}
        },
        {
          "match_all": {}
        },
        {
          "range": {
            "timestamp": {
              "gte": 1408458089497,
              "lte": 1566224489497,
              "format": "epoch_millis"
            }
          }
        }
      ],
      "filter": [],
      "should": [],
      "must_not": []
    }
  }
}

Answer 1

感谢您的答复。问题解决了！必须使用date_histogram的序列区分聚合。