弹性搜索中的多个过滤器和聚合 [英] Multiple filters and an aggregate in elasticsearch

问题描述

如何将过滤器与 elasticsearch 中的聚合结合使用?

How can I use a filter in connection with an aggregate in elasticsearch?

官方文档只给出了过滤器 和 aggregations 并且没有正式的查询 dsl 的描述 - 比较它，例如使用 postgres 文档.

The official documentation gives only trivial examples for filter and for aggregations and no formal description of the query dsl - compare it e.g. with postgres documentation.

通过尝试，我发现了以下查询，它被 elasticsearch 接受(没有解析错误)，但忽略了给定的过滤器:

Through trying out I found following query, which is accepted by elasticsearch (no parsing errors), but ignores the given filters:

{
  "filter": {
    "and": [
      {
        "term": {
          "_type": "logs"
        }
      },
      {
        "term": {
          "dc": "eu-west-12"
        }
      },
      {
        "term": {
          "status": "204"
        }
      },
      {
        "range": {
          "@timestamp": {
            "from": 1398169707,
            "to": 1400761707
          }
        }
      }
    ]
  },
  "size": 0,
  "aggs": {
    "time_histo": {
      "date_histogram": {
        "field": "@timestamp",
        "interval": "1h"
      },
      "aggs": {
        "name": {
          "percentiles": {
            "field": "upstream_response_time",
            "percents": [
              98.0
            ]
          }
        }
      }
    }
  }
}

有些人建议使用 query 而不是 filter.但是官方文档一般推荐相反进行精确过滤值.query 的另一个问题:虽然过滤器提供了一个 and，query 没有.

Some people suggest using query instead of filter. But the official documentation generally recommends the opposite for filtering on exact values. Another issue with query: while filters offer an and, query does not.

有人可以给我指点文档、博客或书籍，其中描述了编写非平凡查询:至少是一个聚合加上多个过滤器.

Can somebody point me to documentation, a blog or a book, which describe writing non-trivial queries: at least an aggregate plus multiple filters.

推荐答案

我最终使用了 过滤聚合 - 未过滤的查询.所以现在我有 3 个嵌套的 aggs 元素.

I ended up using a filter aggregation - not filtered query. So now I have 3 nested aggs elements.

我也使用 bool 过滤器代替@alex-brasetvik 推荐的 and 因为 http://www.elasticsearch.org/blog/all-about-elasticsearch-filter-bitsets/

I also use bool filter instead of and as recommended by @alex-brasetvik because of http://www.elasticsearch.org/blog/all-about-elasticsearch-filter-bitsets/

我的最终实现:

{
  "aggs": {
    "filtered": {
      "filter": {
        "bool": {
          "must": [
            {
              "term": {
                "_type": "logs"
              }
            },
            {
              "term": {
                "dc": "eu-west-12"
              }
            },
            {
              "term": {
                "status": "204"
              }
            },
            {
              "range": {
                "@timestamp": {
                  "from": 1398176502000,
                  "to": 1400768502000
                }
              }
            }
          ]
        }
      },
      "aggs": {
        "time_histo": {
          "date_histogram": {
            "field": "@timestamp",
            "interval": "1h"
          },
          "aggs": {
            "name": {
              "percentiles": {
                "field": "upstream_response_time",
                "percents": [
                  98.0
                ]
              }
            }
          }
        }
      }
    }
  },
  "size": 0
}

这篇关于弹性搜索中的多个过滤器和聚合的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！