1. 首頁
  2. 問答
  3. 組合兩個elasticsearch查詢

組合兩個elasticsearch查詢

2014-09-12 181 views
0

多虧了夢幻般的Kibana前端爲我elasticsearch指標,我能夠構建一個查詢在特定時間跨度拉記錄一個小時按小時計:組合兩個elasticsearch查詢

{ 
    "facets": { 
    "0": { 
     "date_histogram": { 
     "field": "@timestamp", 
     "interval": "1h" 
     }, 
     "global": true, 
     "facet_filter": { 
     "fquery": { 
      "query": { 
      "filtered": { 
       "query": { 
       "query_string": { 
        "query": "*" 
       } 
       }, 
       "filter": { 
       "bool": { 
        "must": [ 
        { 
         "range": { 
         "@timestamp": { 
          "from": "2014-08-01T07:00:00.000Z", 
          "to": "2014-09-01T06:59:59.999Z" 
         } 
         } 
        }, 
        { 
         "fquery": { 
         "query": { 
          "query_string": { 
          "query": "tags:\"solr_search\"" 
          } 
         }, 
         "_cache": true 
         } 
        } 
        ] 
       } 
       } 
      } 
      } 
     } 
     } 
    } 
    }, 
    "size": 0 
}'

哪讓我像輸出:

{ 
    "took" : 27, 
    "timed_out" : false, 
    "_shards" : { 
    "total" : 155, 
    "successful" : 155, 
    "failed" : 0 
    }, 
    "hits" : { 
    "total" : 267366, 
    "max_score" : 0.0, 
    "hits" : [ ] 
    }, 
    "facets" : { 
    "0" : { 
     "_type" : "date_histogram", 
     "entries" : [ { 
     "time" : 1406876400000, 
     "count" : 120 
     }, { 
     "time" : 1406880000000, 
     "count" : 115 
     }, { 
     "time" : 1406883600000, 
     "count" : 134 
     }, { 
     "time" : 1406887200000, 
     "count" : 87 
     }, { 
     "time" : 1406890800000, 
     "count" : 99 
     }, { 
     "time" : 1406894400000, 
     "count" : 141 
     }, { 
     "time" : 1406898000000, 
     "count" : 168 
     }, { 
     "time" : 1406901600000, 
     "count" : 300 
     }, { 
     "time" : 1406905200000, 
     "count" : 782 
     }, { 
     "time" : 1406908800000, 
     "count" : 1085 
     }, {

和(再次使用Kibana的幫助),我可以爲一個特定的時間桶,獲得最大的搜索術語的前10名名單,像這樣的查詢:

{ 
    "facets": { 
    "terms": { 
     "terms": { 
     "field": "searchstring.raw", 
     "size": 10, 
     "order": "count", 
     "exclude": [] 
     }, 
     "facet_filter": { 
     "fquery": { 
      "query": { 
      "filtered": { 
       "query": { 
       "bool": { 
        "should": [ 
        { 
         "query_string": { 
         "query": "*" 
         } 
        } 
        ] 
       } 
       }, 
       "filter": { 
       "bool": { 
        "must": [ 
        { 
         "range": { 
         "@timestamp": { 
          "from": 1406876400000, 
          "to": 1406880000000 
         } 
         } 
        }, 
        { 
         "fquery": { 
         "query": { 
          "query_string": { 
          "query": "tags:\"solr_search\"" 
          } 
         }, 
         "_cache": true 
         } 
        } 
        ] 
       } 
       } 
      } 
      } 
     } 
     } 
    } 
    }, 
    "size": 0 
}'

其中給出的結果是這樣的:

{ 
    "took" : 56, 
    "timed_out" : false, 
    "_shards" : { 
    "total" : 155, 
    "successful" : 155, 
    "failed" : 0 
    }, 
    "hits" : { 
    "total" : 267366, 
    "max_score" : 0.0, 
    "hits" : [ ] 
    }, 
    "facets" : { 
    "terms" : { 
     "_type" : "terms", 
     "missing" : 0, 
     "total" : 120, 
     "other" : 86, 
     "terms" : [ { 
     "term" : "term1", 
     "count" : 11 
     }, { 
     "term" : "term2", 
     "count" : 4 
     }, { 
     "term" : "term3", 
     "count" : 3 
     }, { 
     "term" : "term4", 
     "count" : 3 
     }, { 
     "term" : "term5", 
     "count" : 3 
     }, { 
     "term" : "term6", 
     "count" : 2 
     }, { 
     "term" : "term7", 
     "count" : 2 
     }, { 
     "term" : "term8", 
     "count" : 2 
     }, { 
     "term" : "term9", 
     "count" : 2 
     }, { 
     "term" : "term10", 
     "count" : 2 
     } ] 
    } 
    } 
}

我想什麼做的是:在第一查詢的輸出拉爲時間桶的前10項每次桶,把在輸出每桶時間爲。我對彈性搜索查詢語言還比較陌生,迄今爲止我在合併這兩個查詢方面的嘗試都在消失。如果任何人有任何指針,我將不勝感激。

來源

2014-09-12 gunglefunk

回答

0

我最終放棄了更新聚合語法的方面方法。下面是最終回到什麼什麼,我一直在尋找:

{ 
    "query": { 
     "filtered": { 
      "filter": { 
       "bool": { 
        "must": [ 
         { 
          "range": { 
           "@timestamp": { 
            "from": "2014-08-01T00:00:00.000Z", 
            "to": "2014-09-01T00:00:00.000Z" 
           } 
          } 
         }, 
         { 
          "fquery": { 
           "query": { 
            "query_string": { 
             "query": "tags:\"solr_search\"" 
            } 
           }, 
           "_cache": true 
          } 
         } 
        ] 
       } 
      } 
     } 
    }, 
    "aggs": { 
     "searches_per_hour": { 
      "date_histogram" : { 
       "field": "@timestamp", 
       "interval": "1h", 
       "format": "yyyy-MM-dd ha" 
      }, 
      "aggs": { 
       "top_search_terms": { 
        "terms": { 
         "field": "searchstring.raw", 
         "size": 10, 
         "shard_size": 300 
        } 
       } 
      } 
     } 
    } 
}

也許這將縮短別人的作品有朝一日:)

來源

2014-09-15 22:48:36 gunglefunk

相關問題

 相關問題