ElasticSearch - 如何在每个聚合桶中获取最小时间戳?
ElasticSearch - How to get minimum timestamp in each aggregation buckets?
我在 ElasticSearch 中有以下文档:
"ip": "192.168.10.12", "@timestamp": "2017-08-10T00:00:00.000Z", "states": "newyork", "user" : "admin"
"ip": "192.168.10.12", "@timestamp": "2017-08-10T01:25:00.000Z", "states": "California", "user" : "guest"
我尝试按用户使用 Elasticsearch 术语聚合
这是我所在的位置:
{
"size":0,
"query":{
"bool":{
"must":[
{
"term":{
"user":"admin"
}
},
{
"range":{
"@timestamp":{
"gte": "2017-08-10T00:00:00.000Z",
"lte": "2017-08-10T04:58:00.000Z"
}
}
}
]
}
},
"aggs":{
"states":{
"terms":{
"field":"states",
"min_doc_count":8
}
}
}
}
从查询中,将 return :
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"failed": 0
},
"hits": {
"total": 2,
"max_score": 0,
"hits": []
},
"aggregations": {
"states": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "New York",
"doc_count": 200
},
{
"key": "California",
"doc_count": 10
},
{
"key": "North Dakota",
"doc_count": 125
}
]
}
}
}
我想在每个桶中获得最小的@timestamp,
但是我可以从 return 得到每个桶 "minimum" @timestamp 吗?
您可以简单地添加一个 min 指标子聚合
"aggs":{
"states":{
"terms":{
"field":"states",
"min_doc_count":8
},
"aggs": {
"min_timestamp": {
"min": {
"field": "@timestamp"
}
}
}
}
}
我在 ElasticSearch 中有以下文档:
"ip": "192.168.10.12", "@timestamp": "2017-08-10T00:00:00.000Z", "states": "newyork", "user" : "admin"
"ip": "192.168.10.12", "@timestamp": "2017-08-10T01:25:00.000Z", "states": "California", "user" : "guest"
我尝试按用户使用 Elasticsearch 术语聚合 这是我所在的位置:
{
"size":0,
"query":{
"bool":{
"must":[
{
"term":{
"user":"admin"
}
},
{
"range":{
"@timestamp":{
"gte": "2017-08-10T00:00:00.000Z",
"lte": "2017-08-10T04:58:00.000Z"
}
}
}
]
}
},
"aggs":{
"states":{
"terms":{
"field":"states",
"min_doc_count":8
}
}
}
}
从查询中,将 return :
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"failed": 0
},
"hits": {
"total": 2,
"max_score": 0,
"hits": []
},
"aggregations": {
"states": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "New York",
"doc_count": 200
},
{
"key": "California",
"doc_count": 10
},
{
"key": "North Dakota",
"doc_count": 125
}
]
}
}
}
我想在每个桶中获得最小的@timestamp,
但是我可以从 return 得到每个桶 "minimum" @timestamp 吗?
您可以简单地添加一个 min 指标子聚合
"aggs":{
"states":{
"terms":{
"field":"states",
"min_doc_count":8
},
"aggs": {
"min_timestamp": {
"min": {
"field": "@timestamp"
}
}
}
}
}