弹性搜索:我可以与多个日期字段聚合吗?

时间:2015-06-23 10:14:18

标签: elasticsearch

我在弹性搜索中运行脚本有一些数据:

{
"start":"2015-06-15T10:48:01.451Z",
"resolved":true,
"cmd":"blabla",
"lastUpdate":"2015-06-18T11:28:36.866Z",
"end":"2015-06-17T11:28:35.768Z"
}

我的目标是在过去x天查看脚本是否正在运行。运行脚本在字段“start”中具有开始时间,在字段“end”中具有结束时间。在这种情况下,我希望有一个类似的观点:

{ "date":"2015-06-14", "doc_count":"0",
  "date":"2015-06-15", "doc_count":"1",
  "date":"2015-06-16", "doc_count":"1",
  "date":"2015-06-17", "doc_count":"1",
  "date":"2015-06-18", "doc_count":"0" 
}

这可以通过聚合或其他方式实现吗?我怎样才能建立这个?

感谢您的任何建议!

我已经尝试过聚合但是他们没有满足我的需求。我总是可以引用一个日期字段,而不考虑开始和结束之间的天数。

"aggs" : {
    "range" : {
        "date_range" : {
            "field" : "start",
            "format" : "dd.MM.yyyy",
            "ranges" : [
                {"to": "now", "from": "now/d"},
                {"to": "now/d", "from": "now-1d/d"},
                {"to": "now-1d/d", "from": "now-2d/d"},
                {"to": "now-2d/d", "from": "now-3d/d"},
                {"to": "now-3d/d", "from": "now-4d/d"},
                {"to": "now-4d/d", "from": "now-5d/d"},
                {"to": "now-5d/d", "from": "now-6d/d"}
            ]
        }
    },

1 个答案:

答案 0 :(得分:0)

要解决此问题,我使用脚本来计算有趣的天数。 以下是我对聚合的查询:

"query" : {
    "filtered" : {
        "query" : {
            "bool" : {
                "should" : [ 
                    { "range" : { "lastUpdate" : {"gt" : "now-10d/d"} } },
                    { "range" : { "start"      : {"gt" : "now-10d/d"} } },
                    { "range" : { "end"       : {"gt" : "now-10d/d"} } }
                ]
            }
        }
    }
},
"aggs": {
    "dates" : {
        "terms" : {
            "script_file" : "multidate"
        }
    }
}

它与documentation

有关

我认为脚本没有完成但是很好例如:

import groovy.time.TimeCategory
import groovy.json.*

def term = []
use(TimeCategory) {

def lastUpdate = doc['lastUpdate'].date.toDate()
def start      = doc['start'].date.toDate()
def end        = doc['end'].date.toDate()

// Start befor end
  if(start<end) {
    // lastUpdate only use if after end
    if(end<lastUpdate&&(lastUpdate-end).days>0) {
      term.push(lastUpdate)
    }
    // days between start and end
    // same day?
    if(start.format("dd.MM.yyyy")==end.format("dd.MM.yyyy")) {
      // same day!
      term.push(start)
    } else {
      // another day
      diff = end-start
      for(i=0;i<=diff.days;i++) {
        term.push(start+i.days)
      }
      if((start+diff.days).format("dd.MM.yyyy")!=end.format("dd.MM.yyyy")) {
        term.push(end)
      }
    }
  }
}

text = []
for(i in term) {
  text.add(i.format("dd.MM.yyyy"))
}

text

多数民众赞成!如果我运行查询,我得到:

  "aggregations" : {
    "dates" : {
      "buckets" : [ {
        "key" : "18.06.2015",
        "doc_count" : 2
      }, {
        "key" : "19.06.2015",
        "doc_count" : 2
      }, {
        "key" : "25.06.2015",
        "doc_count" : 2
      }, {
        "key" : "17.06.2015",
        "doc_count" : 1
      }, {
        "key" : "22.06.2015",
        "doc_count" : 1
      }, {
        "key" : "23.06.2015",
        "doc_count" : 1
      }, {
        "key" : "30.06.2015",
        "doc_count" : 1
      } ]
    }
  }
相关问题
最新问题