我有以下数据:
{"action":"CREATE","docs":1,"date":"2016 Jun 26 12:00:12","userid":"1234"}
{"action":"REPLACE","docs":2,"date":"2016 Jun 27 12:00:12","userid":"1234"}
{"action":"REPLACE","docs":1,"date":"2016 Jun 27 13:00:12","userid":"1234"}
{"action":"CREATE","docs":1,"date":"2016 Jun 28 12:00:12","userid":"3431"}
{"action":"REPLACE","docs":2,"date":"2016 Jun 28 13:00:12","userid":"3431"}
{"action":"CREATE","docs":1,"date":"2016 Jun 29 12:00:12","userid":"9999"}为了获得每个唯一用户按日期排序(降序)的记录,我使用了如下所示的Top Hits:
"aggs": {
"user_bucket": {
"terms": {
"field": "userid"
},
"aggs": {
"user_latest_count": {
"top_hits": {
"size": 1,
"sort": [
{
"data": {
"order": "desc"
}
}
],
"_source": {
"include": [
"docs"
]
}
}
}
}
}
}上述查询结果如下:
{"action":"REPLACE","docs":1,"date":"2016 Jun 27 13:00:12","userid":"1234"}
{"action":"REPLACE","docs":2,"date":"2016 Jun 28 13:00:12","userid":"3431"}
{"action":"CREATE","docs":1,"date":"2016 Jun 29 12:00:12","userid":"9999"}现在,我想将其进一步汇总,结果如下所示:
{"sum_of_different_buckets": 4}但不确定如何从上面得到的结果中求和字段“文档”的值。
3条答案
按热度按时间3wabscal1#
您还可以在聚合中任意嵌套聚合,以从数据中提取所需的汇总数据。可能是下面的样片作品。
vfwfrxfs2#
您可以在TOP_HIT的并行级别上有其他聚合,但在TOP_HIT下不能有任何**SUB_Aggregation。ElasticSearch不支持它。here is the link to github issue
但如果你想要得到相同级别的总和,你可以使用下面的方法。
osh3o9ms3#
您可以使用脚本度量和sum_bucket管道聚合。SCRIPTED_METRUMER聚合允许您编写自己的Map减少逻辑,因此您可以为每个术语返回一个单独的度量。
init_script在状态对象中创建两个字段timestamp_latest和last_value(每个分片一个状态对象)。map_script针对父terms聚合返回的存储桶中收集的每个文档执行一次。如果根据文档的date定义date_as_millis,则将date_as_millis与state.timestamp_latest进行比较,最后从碎片更新state.last_value。combine_script返回每个分片的状态。reduce_script迭代每个分片返回的s.timestamp_latest的值,并从具有最新时间戳的文档中返回单个值(last_value)。此时,我们拥有每个
userid的最新docs值。然后,我们使用sum_bucket管道聚合,以便对所有最新的docs值求和,这将返回4的值。