环境:Windows10
ES Version: 7.5
测试日志:
{"transID":1,"span":{"traceID":521,"spanID":1},"msg":"TransStart","extend":{"type":"Login"}}
{"transID":1,"span":{"traceID":522,"spanID":2},"msg":"Step2"}
{"transID":1,"span":{"traceID":523,"spanID":3},"extend":{"result":"Failed"}}
{"transID":2,"span":{"traceID":524,"spanID":1},"msg":"TransStart","extend":{"type":"Login"}}
{"transID":2,"span":{"traceID":525,"spanID":2},"msg":"Step2"}
{"transID":2,"span":{"traceID":526,"spanID":3},"extend":{"result":"Succ"}}
日志内容说明:
"extend":{"type":"Login"}表示登录事件
"transID":1 整个事件中唯一
想要实现的效果:
统计出"extend":{"result":"Succ"} 并且"extend":{"type":"Login"} 事件的占比。
尝试了聚合嵌套桶操作aggs{..., aggs{...}},目前只能计算出一次事件的结果
但是没法计算出一个时间段内的登录
单次的登录结果:
#桶嵌套+bucket_script计算Succ个数
#(1)通过terms聚合找出transID
#(2)通过extend.type.keyword挑选出Login的事件
#(3)通过extend.result.keyword挑出Succ
GET /logstash-liqwei-2020.05.21/_search
{
"size": 0,
"aggs": {
"trans_id": {
"terms": {
"field": "transID"
},
"aggs":{
"login":{
"filter": {
"term": {
"extend.type.keyword": "Login"
}
}
},
"login_succ":{
"filter": {
"term": {
"extend.result.keyword": "Succ"
}
}
},
"succ_script":{
"bucket_script": {
"buckets_path":{
"succ_count": "login_succ>_count",
"total_count": "login>_count"
},
"format": "#.##",
"script":" params.succ_count/params.total_count",
"gap_policy": "skip"
}
}
}
}
}
}
ES Version: 7.5
测试日志:
{"transID":1,"span":{"traceID":521,"spanID":1},"msg":"TransStart","extend":{"type":"Login"}}
{"transID":1,"span":{"traceID":522,"spanID":2},"msg":"Step2"}
{"transID":1,"span":{"traceID":523,"spanID":3},"extend":{"result":"Failed"}}
{"transID":2,"span":{"traceID":524,"spanID":1},"msg":"TransStart","extend":{"type":"Login"}}
{"transID":2,"span":{"traceID":525,"spanID":2},"msg":"Step2"}
{"transID":2,"span":{"traceID":526,"spanID":3},"extend":{"result":"Succ"}}
日志内容说明:
"extend":{"type":"Login"}表示登录事件
"transID":1 整个事件中唯一
想要实现的效果:
统计出"extend":{"result":"Succ"} 并且"extend":{"type":"Login"} 事件的占比。
尝试了聚合嵌套桶操作aggs{..., aggs{...}},目前只能计算出一次事件的结果
但是没法计算出一个时间段内的登录
单次的登录结果:
#桶嵌套+bucket_script计算Succ个数
#(1)通过terms聚合找出transID
#(2)通过extend.type.keyword挑选出Login的事件
#(3)通过extend.result.keyword挑出Succ
GET /logstash-liqwei-2020.05.21/_search
{
"size": 0,
"aggs": {
"trans_id": {
"terms": {
"field": "transID"
},
"aggs":{
"login":{
"filter": {
"term": {
"extend.type.keyword": "Login"
}
}
},
"login_succ":{
"filter": {
"term": {
"extend.result.keyword": "Succ"
}
}
},
"succ_script":{
"bucket_script": {
"buckets_path":{
"succ_count": "login_succ>_count",
"total_count": "login>_count"
},
"format": "#.##",
"script":" params.succ_count/params.total_count",
"gap_policy": "skip"
}
}
}
}
}
}
1 个回复
ziyou - 一个学习ELK的Java程序员
赞同来自: xzy 、leeQiwei
错误地方:你的每个桶里面最多有三条数据,怎么聚合处理都不会得到真正的成功率。
两方面建议:
从数据计算方面,如果你的数据不能改动,就把数据获取后自己进行二次计算,得出成功率。
从数据设计方面,建议及设计合理的聚合字段来处理问题。