REST api调用
GET test10/LREmail10/_search/
{
"size": 10,
"query": {
"range": {
"ALARM DATE": {
"gte": "now-15d/d",
"lt": "now/d"
}
}
},
"fields": [
"ALARM DATE",
"CLASSIFICATION"
]
}
输出的一部分是,
"took": 25,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 490,
"max_score": 1,
"hits": [
{
"_index": "test10",
"_type": "LREmail10",
"_id": "AVM5g6XaShke4hy5dziK",
"_score": 1,
"fields": {
"CLASSIFICATION": [
"Attack"
],
"ALARM DATE": [
"25/02/2016 8:35:22 AM(UTC-08:00)"
]
}
},
{
"_index": "test10",
"_type": "LREmail10",
"_id": "AVM5g6e_Shke4hy5dziL",
"_score": 1,
"fields": {
"CLASSIFICATION": [
"Compromise"
],
"ALARM DATE": [
"25/02/2016 8:36:16 AM(UTC-08:00)"
]
}
},
我真正想要做的是,通过ALARM DATE汇总CLASSIFICATION。日期的默认格式也有分钟,秒和时区。但是我想要为每一个日期的所有分类进行侵略。因此,"25/02/2016 8:36:16 AM(UTC-08:00)"和"25/02/2016 8:35:22 AM(UTC-08:00)"应被视为"25/02/2016"日期。并使所有分类属于一个日期。
我希望我已正确解释了问题。如果你们需要更多细节,请告诉我。
如果有人,可以给我一个提示,看看Elasticsearch中的哪个区域也非常有帮助。
答案 0 :(得分:1)
使用下面的date_histogram。
{
"size" :0 ,
"aggs": {
"classification of day": {
"date_histogram": {
"field": "ALARM DATE",
"interval": "day"
},
"aggs": {
"classification": {
"terms": {
"field": "CLASSIFICATION"
}
}
}
}
}
}