应用程序日志存储在www.example.com上logz.io我正在尝试汇总应用程序的错误日志,对于每个版本,我想汇总错误消息。我尝试使用一个子聚合查询:
curl -X POST https://api.logz.io/v1/search \
-H 'Content-Type: application/json' \
-H 'X-API-TOKEN: xxxxxxxxxx' \
-d '{
"query": {
"bool": {
"must": [
{
"range": {"@timestamp": { "gte": "now-2w", "lte": "now"}}
}
],
"filter": [{"terms": {"log_level": ["ERROR","CRITICAL","FATAL"]}}]
}
},
"size": 0,
"aggs": {
"app_version_agg": {
"terms": {
"field": "app_version",
"size": 1000
},
"aggs": {
"error_message_agg": {
"terms": {
"field": "error_message",
"size": 1000
}
}
}
}
}
}'但我得到了这个错误:
{"errorCode":"LogzElasticsearchAPI/INVALID_QUERY","message":"This search can't be executed: [Bad Request]. Please contact customer support for more details","requestId":"xxxx","parameters":{"reason":"Bad Request"}}我会注意到,当我在同一级别上使用多个聚合时,我确实会得到结果,(但结果是单独的聚合,而不是根据几个字段进行聚合)
curl -X POST https://api.logz.io/v1/search \
-H 'Content-Type: application/json' \
-H 'X-API-TOKEN: xxxxxxxxxx' \
-d '{
"query": {
"bool": {
"must": [
{
"range": {"@timestamp": { "gte": "now-2w", "lte": "now"}}
}
],
"filter": [{"terms": {"log_level": ["ERROR","CRITICAL","FATAL"]}}]
}
},
"size": 0,
"aggs": {
"app_version_agg": {
"terms": {
"field": "app_version",
"size": 1000
}
},
"error_message_agg": {
"terms": {
"field": "error_message",
"size": 1000
}
}
}
}'
1条答案
按热度按时间rkttyhzu1#
根据搜索端点的Logz.io文档,聚合有一个限制:
不能嵌套2个或多个以下类型的存储桶聚合:date_histogram,geohash_grid,histogram,ip_ranges,significant_terms,terms
这可能解释了你遇到的问题。