这里是我的文件的一个例子
{
"@timestamp": "2020-04-24T19:36:52.484Z",
"token": "123",
"application": "sso_api_v3",
"ssoapiv3_method": "GET",
"ssoapiv3_error_description": "Your access token has expired",
"code": 401,
"message": "\"message\"",
"level": 6,
"facility": "sso_api_v3",
"type": "gelf"
}
[...]
{
"@timestamp": "2020-04-24T19:37:52.484Z",
"token": "123",
"application": "sso_api_v3",
"ssoapiv3_method": "GET",
"ssoapiv3_error_description": "Your access token has expired",
"code": 200,
"message": "\"message\"",
"level": 6,
"facility": "sso_api_v3",
"type": "gelf"
}
[...]
我有大量的请求,我想进行搜索以获取具有相同令牌但代码为200和401的文档。我可以同时获得全部200个,全部401个,但我无法对于相同的令牌。
答案 0 :(得分:1)
有两种方法。
查询:
{
"size": 0,
"aggs": {
"code": {
"filter": {
"terms": {
"code": [
200,401 --> returns all documengts with code 200 / 401
]
}
},
"aggs": {
"token": { --> creates group of tokens and fetched doc under each
"terms": {
"field": "token.keyword",
"size": 10
},
"aggs": {
"docs": {
"top_hits": {
"size": 10
}
}
}
}
}
}
}
}
结果:
"aggregations" : {
"code" : {
"doc_count" : 1,
"token" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "123",
"doc_count" : 1,
"docs" : {
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "index9",
"_type" : "_doc",
"_id" : "16UKynEBAWHHnYGORq-d",
"_score" : 1.0,
"_source" : {
"@timestamp" : "2020-04-24T19:36:52.484Z",
"token" : "123",
"application" : "sso_api_v3",
"ssoapiv3_method" : "GET",
"ssoapiv3_error_description" : "Your access token has expired",
"code" : 401,
"message" : """"message"""",
"level" : 6,
"facility" : "sso_api_v3",
"type" : "gelf"
}
}
]
}
}
}
]
}
}
}
在组字段上返回前1个文档。您可以在该组下获取其他文档 使用inner_hits
查询:
{
"query": {
"terms": {
"code": [
200,
401
]
}
},
"collapse": {
"field": "token.keyword",
"inner_hits": {
"name": "docs",
"size": 10,
"sort": [{ "@timestamp": "asc" }]
}
}
}