我想知道是否有可能这样做。假设我有一个 testindex :
{
"properties": {
"datetime": {
"type": "date"
},
"datetime_range": {
"type": "date_range"
},
"devname": {
"type": "keyword"
},
"group": {
"type": "keyword"
},
"my_join_field": {
"type": "join",
"eager_global_ordinals": true,
"relations": {
"startevent": "traffic"
}
},
"new_rcvdbyte": {
"type": "long"
},
"new_sentbyte": {
"type": "long"
},
"rcvdbyte": {
"type": "long"
},
"sentbyte": {
"type": "long"
},
"tunnelid": {
"type": "keyword"
},
"user": {
"type": "keyword"
}
}
}其中包含以下示例文档:
[{
"user": "someuser",
"devname": "somedevice",
"datetime_range": {
"gte": "2020-10-21T15:50:57",
"lte": "2020-10-21T16:50:57"
},
"my_join_field": "startevent"
},
{
"user": "someuser",
"group": "somegroup",
"devname": "somedevice",
"datetime": "2020-10-21T15:52:57",
"sentbyte": 123,
"rcvdbyte": 456,
"new_sentbyte": 123,
"new_rcvdbyte": 456,
"my_join_field": {
"name": "traffic",
"parent": "1"
}
},
{
"user": "someuser",
"group": "somegroup",
"devname": "somedevice",
"datetime": "2020-10-21T15:54:57",
"sentbyte": 246,
"rcvdbyte": 912,
"new_sentbyte": 123,
"new_rcvdbyte": 456,
"my_join_field": {
"name": "traffic",
"parent": "1"
}]我希望能够聚合这些文档,使输出类似于:
{
"user" : "someuser",
"devname" : "somedevice",
"datetime_range" : {
"gte" : "2020-10-21T15:50:57",
"lte" : "2020-10-21T16:50:57"
},
"group": "somegroup",
"new_sentbyte_sum": 246,
"new_rcvdbyte_sum": 912
}我能想到的最多的就是 inner_hits 内 has_child ,但这并不能解决 sum 我两者都需要 new_rcvdbyte 以及 new_sentbyte 子文档中包含的字段。
注意:要说清楚的是,这并不像使用常规的 rcvdbyte 或者 sentbyte 字段,因为我将筛选 inner_hits 通过 datetime 间隔。
暂无答案!
目前还没有任何答案,快来回答吧!