我想将event_id传递给Kibana / Elastic Search,并从@timestamp字段中找到此event_id的最小和最大日期。然后,我想将日期范围设置为这些日期并显示所有结果。我认为这是可行的。
我可以通过这种聚合获得最小值和最大值:
GET /filebeat-*/_search
{
"query": {
"match": {
"event_id": 1234
}
},
"aggs" : {
"min_date": {"min": {"field": "@timestamp" }},
"max_date": {"max": {"field": "@timestamp" }}
}
}
我可以通过搜索特定的日期范围来获得结果:
GET /filebeat-*/_search
{
"query": {
"bool": {
"filter": {
"range": {"@timestamp": {"gte": "2020-09-11T13:35:35.000Z", "lte": "2020-09-24T20:35:07.000Z"}}
}
}
}
}
如何将两者结合起来,以便仅更改event_id并具有自动日期范围类型功能?
编辑:
我可以这样做:
GET /filebeat-*/_search
{
"query": {
"bool": {
"must": {
"match": {
"event_id": 1234
}
},
"filter": {
"range": {
"@timestamp": {
"lte": "2020-09-25",
"gte": "2020-09-24"
}
}
}
}
},
"aggs": {
"min_date": {
"min": {
"field": "@timestamp"
}
},
"max_date": {
"max": {
"field": "@timestamp"
}
}
}
}
但是我想做的事情是这样的:
GET /filebeat-*/_search
{
"query": {
"bool": {
"must": {
"match": {
"event_id": 1234
}
},
"filter": {
"range": {
"@timestamp": {
"lte": "max_date",
"gte": "min_date"
}
}
}
}
},
"aggs": {
"min_date": {
"min": {
"field": "@timestamp"
}
},
"max_date": {
"max": {
"field": "@timestamp"
}
}
}
}
但这会导致错误:“无法解析日期字段[min_date]” 是否可以使用汇总的最小值和最大值来定义日期范围?
答案 0 :(得分:0)
由于您尚未提供任何样本索引数据,因此请在date类型字段上应用范围查询
添加具有索引映射,数据,搜索查询和搜索结果的工作示例
索引映射:
{
"mappings": {
"properties": {
"date": {
"type": "date"
}
}
}
}
索引数据:
{
"date": "2015-02-10",
"event_id":"1234"
}
{
"date": "2015-01-01",
"event_id":"1235"
}
{
"date": "2015-02-01",
"event_id":"1234"
}
{
"date": "2015-02-01",
"event_id":"1235"
}
{
"date": "2015-01-20",
"event_id":"1234"
}
搜索查询:
{
"query": {
"bool": {
"must": {
"match": {
"event_id": 1234
}
},
"filter": {
"range": {
"date": {
"lte": "2015-02-15",
"gte": "2015-01-11"
}
}
}
}
},
"aggs": {
"min_date": {
"min": {
"field": "date"
}
},
"max_date": {
"max": {
"field": "date"
}
}
}
}
搜索结果:
"hits": {
"total": {
"value": 3,
"relation": "eq"
},
"max_score": 0.44183272,
"hits": [
{
"_index": "stof_64127765",
"_type": "_doc",
"_id": "3",
"_score": 0.44183272,
"_source": {
"date": "2015-02-01",
"event_id": "1234"
}
},
{
"_index": "stof_64127765",
"_type": "_doc",
"_id": "1",
"_score": 0.44183272,
"_source": {
"date": "2015-02-10",
"event_id": "1234"
}
},
{
"_index": "stof_64127765",
"_type": "_doc",
"_id": "5",
"_score": 0.44183272,
"_source": {
"date": "2015-01-20",
"event_id": "1234"
}
}
]
},
"aggregations": {
"max_date": {
"value": 1.4235264E12,
"value_as_string": "2015-02-10T00:00:00.000Z"
},
"min_date": {
"value": 1.421712E12,
"value_as_string": "2015-01-20T00:00:00.000Z"
}
}