英文:
Elasticsearch api - order aggregation by @timestamp
问题
在我的索引中,有许多具有不同结构的文档。所有文档之间共享的关键字是以下关键字:(Store、owner、products、timestamp)
在我的应用程序中,我试图获取每个商店(owner、products)的最新共享关键字。所以对于这个示例,我想获取示例中的最后一个文档。
我尝试创建一个关于所有共享关键字的聚合查询,但不确定如何按日期对内部结果进行排序(以便最新值排在前面):
如何按@timestamp对查询的内部桶进行排序?这样我就可以获取第一个值,它肯定是最新的。
另外,我如何筛选数据,以便文档来自过去两天?我需要在@timestamp字段上添加一个查询过滤器吗?
我只会翻译您的请求,不会提供答案。请提供代码部分以获取帮助。
英文:
In my index I have a lot of documents with a different structure. The shared keys between all the documents are the following keys: (Store,owner,products,timestamp)
{"Store":"books for school","owner":"user_15","products":40,"@timestamp":2020/08/02T18:00, "a1":1,"a2":...}
{"Store":"books for school","owner":"user_15","products":45,"@timestamp":2020/08/02T19:00,"b1":1...}
{"Store":"books for school","owner":"user_17","products":55,"@timestamp":2020/08/02T20:00, "b2":1....}
In my app, I'm trying to get the most recent shared keys for each store (owner,products). So for this example I wanted to get the last document in the example.
I tried to create an aggregation query on all the shared keys but I'm not sure how to order the inner results by the date (so that the most newest value will be first):
{
"size": 0,
"aggs": {
"store_aggr": {
"terms": {
"field": "Store"
},
"aggs": {
"owner_aggr": {
"terms": {
"field": "owner"
}
}
,
"products_aggr": {
"terms": {
"field": "products"
}
}
}
}
}
}
How can I order the inner buckets of the query by @timestamp? In this way I can just take the first value and it definitely will be the newest..
In addition, how can I filter the data so that the documents will be from the last two days? Do I need to add a query filter on the @timestamp field?
答案1
得分: 1
是的,你需要使用range查询来选择最近的两天数据。至于排序,你可以使用top_hits聚合来检索底层文档:
{
"query": {
"range": {
"@timestamp": {
"gte": "now-2d"
}
}
},
"size": 0,
"aggs": {
"store_aggr": {
"terms": {
"field": "Store"
},
"aggs": {
"owner_aggr": {
"terms": {
"field": "owner"
},
"aggs": {
"top_hits_aggr": {
"top_hits": {
"sort": {
"@timestamp": {
"order": "desc"
}
}
}
}
}
},
"products_aggr": {
"terms": {
"field": "products"
},
"aggs": {
"top_hits_aggr": {
"top_hits": {
"sort": {
"@timestamp": {
"order": "desc"
}
}
}
}
}
}
}
}
}
}
如果你有任何其他翻译需求,请继续提问。
英文:
Yes, you'll need a range query to select only the last two days. As to the sorting -- you can use a ordered top_hits agg to retrieve the underlying docs:
{
"query": {
"range": {
"@timestamp": {
"gte": "now-2d"
}
}
},
"size": 0,
"aggs": {
"store_aggr": {
"terms": {
"field": "Store"
},
"aggs": {
"owner_aggr": {
"terms": {
"field": "owner"
},
"aggs": {
"top_hits_aggr": {
"top_hits": {
"sort": {
"@timestamp": {
"order": "desc"
}
}
}
}
}
},
"products_aggr": {
"terms": {
"field": "products"
},
"aggs": {
"top_hits_aggr": {
"top_hits": {
"sort": {
"@timestamp": {
"order": "desc"
}
}
}
}
}
}
}
}
}
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论