如何使用elasticsearch创建子查询
How to create subquery with elasticsearch
我需要在 elasticsearch 上为以下条件创建查询。
当添加了 "rabbitmq.queue.name" 属性的最后一个元素等于 "service_test_error" 且 "rabbitmq.queue.messages.total.count" 的值不同于“0”时
下面的 sql 查询适用于我的搜索,但我无法使用 elasticsearch 执行相同的查询
select * from metric where rabbitmq.queue.messages.total.count != '0' and rabbitmq.queue.name = 'service_test_error' and timestamp = (select max(timestamp) from metric where rabbitmq.queue.name = 'service_test_error')
以下这些记录是我的 metric-xpto 索引中存在的示例
[
{
"_index": "metric-xpto",
"_type": "_doc",
"_id": "jYP1WnEBmYyEo7K68Zme",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-04-08T18:03:14.899Z",
"rabbitmq": {
"queue": {
"name": "service_test_error",
"messages": {
"total": {
"count": 0
}
}
}
}
}
},
{
"_index": "metric-xpto",
"_type": "_doc",
"_id": "jYP1WnEBmYyEo7K68Zme",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-04-07T18:03:14.899Z",
"rabbitmq": {
"queue": {
"name": "service_test_error",
"messages": {
"total": {
"count": 3
}
}
}
}
}
},
{
"_index": "metric-xpto",
"_type": "_doc",
"_id": "jYP1WnEBmYyEo7K68Zme",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-04-03T17:03:14.899Z",
"rabbitmq": {
"queue": {
"name": "service_alpha_test_error",
"messages": {
"total": {
"count": 8
}
}
}
}
}
},
{
"_index": "metric-xpto",
"_type": "_doc",
"_id": "jYP1WnEBmYyEo7K68Zme",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-04-03T18:03:14.899Z",
"rabbitmq": {
"queue": {
"name": "service_test_error",
"messages": {
"total": {
"count": 8
}
}
}
}
}
}
]
如何使用 elasticsearch 创建类似的查询?
在查询部分,您只能获取最上面的记录,然后必须在客户端检查消息数。
在聚合部分可以做到这一点。
{
"size": 0,
"query": {
"term": {
"rabbitmq.queue.name.keyword": {
"value": "service_test_error"
}
}
},
"aggs": {
"date": {
"terms": {
"field": "@timestamp",
"size": 1,
"order": {
"_term": "desc"
}
},
"aggs": {
"message_count": {
"terms": {
"field": "rabbitmq.queue.messages.total.count",
"size": 10
},
"aggs": {
"filter_count": {
"bucket_selector": {
"buckets_path": {
"key": "_key"
},
"script": "if(params.key>0) return true; else return false;"
}
}
}
},
"select_timestamp": {
"bucket_selector": {
"buckets_path": {
"key": "message_count._bucket_count"
},
"script": "if(params.key>0) return true;else false;"
}
}
}
}
}
}
结果:如果最上面的记录消息计数为零,则桶将为空,否则会有数据
"hits" : {
"total" : {
"value" : 7,
"relation" : "eq"
},
"max_score" : null,
"hits" : [ ]
},
"aggregations" : {
"date" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 6,
"buckets" : [ ]
}
}
Elastic search 没有连接,所以在查询中不可能将一个文档与另一个文档进行比较
我需要在 elasticsearch 上为以下条件创建查询。
当添加了 "rabbitmq.queue.name" 属性的最后一个元素等于 "service_test_error" 且 "rabbitmq.queue.messages.total.count" 的值不同于“0”时
下面的 sql 查询适用于我的搜索,但我无法使用 elasticsearch 执行相同的查询
select * from metric where rabbitmq.queue.messages.total.count != '0' and rabbitmq.queue.name = 'service_test_error' and timestamp = (select max(timestamp) from metric where rabbitmq.queue.name = 'service_test_error')
以下这些记录是我的 metric-xpto 索引中存在的示例
[
{
"_index": "metric-xpto",
"_type": "_doc",
"_id": "jYP1WnEBmYyEo7K68Zme",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-04-08T18:03:14.899Z",
"rabbitmq": {
"queue": {
"name": "service_test_error",
"messages": {
"total": {
"count": 0
}
}
}
}
}
},
{
"_index": "metric-xpto",
"_type": "_doc",
"_id": "jYP1WnEBmYyEo7K68Zme",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-04-07T18:03:14.899Z",
"rabbitmq": {
"queue": {
"name": "service_test_error",
"messages": {
"total": {
"count": 3
}
}
}
}
}
},
{
"_index": "metric-xpto",
"_type": "_doc",
"_id": "jYP1WnEBmYyEo7K68Zme",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-04-03T17:03:14.899Z",
"rabbitmq": {
"queue": {
"name": "service_alpha_test_error",
"messages": {
"total": {
"count": 8
}
}
}
}
}
},
{
"_index": "metric-xpto",
"_type": "_doc",
"_id": "jYP1WnEBmYyEo7K68Zme",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2020-04-03T18:03:14.899Z",
"rabbitmq": {
"queue": {
"name": "service_test_error",
"messages": {
"total": {
"count": 8
}
}
}
}
}
}
]
如何使用 elasticsearch 创建类似的查询?
在查询部分,您只能获取最上面的记录,然后必须在客户端检查消息数。
在聚合部分可以做到这一点。
{
"size": 0,
"query": {
"term": {
"rabbitmq.queue.name.keyword": {
"value": "service_test_error"
}
}
},
"aggs": {
"date": {
"terms": {
"field": "@timestamp",
"size": 1,
"order": {
"_term": "desc"
}
},
"aggs": {
"message_count": {
"terms": {
"field": "rabbitmq.queue.messages.total.count",
"size": 10
},
"aggs": {
"filter_count": {
"bucket_selector": {
"buckets_path": {
"key": "_key"
},
"script": "if(params.key>0) return true; else return false;"
}
}
}
},
"select_timestamp": {
"bucket_selector": {
"buckets_path": {
"key": "message_count._bucket_count"
},
"script": "if(params.key>0) return true;else false;"
}
}
}
}
}
}
结果:如果最上面的记录消息计数为零,则桶将为空,否则会有数据
"hits" : {
"total" : {
"value" : 7,
"relation" : "eq"
},
"max_score" : null,
"hits" : [ ]
},
"aggregations" : {
"date" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 6,
"buckets" : [ ]
}
}
Elastic search 没有连接,所以在查询中不可能将一个文档与另一个文档进行比较