Elasticsearch組通過現場

Question

我有一些魷魚數據如下圖所示：

{"requestresultcode": "TCP_MISS/200"}, 
{"requestresultcode": "TCP_MISS/200"}, 
{"requestresultcode": "TCP_MISS/302"}, 
{"requestresultcode": "TCP_MISS/504"}, 
{"requestresultcode": "TCP_MISS/200"}, 
{"requestresultcode": "ERR_CLIENT_ABORT/000"}, 
{"requestresultcode": "ERR_CLIENT_ABORT/200"}, 
{"requestresultcode": "ERR_CLIENT_ABORT/302"}, 
{"requestresultcode": "ERR_CLIENT_ABORT/502"}, 
{"requestresultcode": "ERR_CONNECT_FAIL/502"} 

我想通過現場組，所以我用的聚合方面做

{ 
    "aggs": { 
    "agg1": { 
     "terms": { 
     "field": "cacheresultcode" 
     } 
    } 
    } 
} 

我得到的結果：

"aggregations": { 
    "agg1": { 
     "doc_count_error_upper_bound": 0, 
     "sum_other_doc_count": 0, 
     "buckets": [ 
     { 
      "key": "200", 
      "doc_count": 2011 
     }, 
     { 
      "key": "tcp_miss", 
      "doc_count": 1740 
     }, 
     { 
      "key": "err_client_abort", 
      "doc_count": 705 
     }, 
     { 
      "key": "302", 
      "doc_count": 244 
     }, 
     { 
      "key": "000", 
      "doc_count": 185 
     }, 
     { 
      "key": "502", 
      "doc_count": 24 
     }, 
     { 
      "key": "err_connect_fail", 
      "doc_count": 23 
     }, 
     { 
      "key": "504", 
      "doc_count": 4 
     } 
     ] 
    } 
    } 

它是使用SQL之間的一些不同的，我認爲它應該像

• ERR_CLIENT_ABORT/000
• ERR_CLIENT_ABORT/200
• ERR_CLIENT_ABORT/302
• ERR_CLIENT_ABORT/502
• ERR_CONNECT_FAIL/502
• TCP_MISS/200
• TCP_MISS/302
• TCP_MISS/504

我該怎麼辦？
感謝您的幫助！

Answer 1

如果您在其他地方使用分析字段，則可以使用multifields爲cacheresultcode提供關鍵字類型。

映射

{ 
    "mappings": { 
    "document_type" : { 
     "properties": { 
     "cacheresultcode":{ 
      "type": "text", 
      "fields": { 
      "keyword" : { 
       "type": "keyword" 
      } 
      } 
     } 
     } 
    } 
    } 
} 

查詢

{ 
    "aggs": { 
    "agg1": { 
     "terms": { 
     "field": "cacheresultcode.keyword" 
     } 
    } 
    } 
} 

希望這有助於。