关于Elasticsearch查询出结果再运算排序的问题

作者 601049502@qq.com | 发布于2018年06月14日 | 阅读数:266

这个Query的目的是为了实现 查询出流入流量和流出流量,并且将这两个字段的值相加得出某个IP的总流量 并将这个流量按IP分组,返回所有IP的总流量的前20个   大概思路如下图,可能不对 欢迎大佬指导
Elasticsearch.png
已邀请:

laoyang360 - [死磕Elasitcsearch]知识星球地址:http://t.cn/RmwM3N9;微信公众号:铭毅天下; 博客:blog.csdn.net/laoyang360

赞同来自:

取前20用top_hits聚合方式实现

yayg2008

赞同来自:

你这个场景貌似跟我这个https://elasticsearch.cn/article/667 相似。

laoyang360 - [死磕Elasitcsearch]知识星球地址:http://t.cn/RmwM3N9;微信公众号:铭毅天下; 博客:blog.csdn.net/laoyang360

赞同来自:

验证了一把:
PUT flow/_doc/1
{
"IPV4_SRC_ADDR":"192.168.1.1",
"IN_BYTES":10,
"OUT_BYTES":20
}

PUT flow/_doc/2
{
"IPV4_SRC_ADDR":"192.168.1.1",
"IN_BYTES":30,
"OUT_BYTES":40
}

PUT flow/_doc/3
{
"IPV4_SRC_ADDR":"192.168.1.2",
"IN_BYTES":1000,
"OUT_BYTES":5000
}


PUT flow/_doc/4
{
"IPV4_SRC_ADDR":"192.168.1.2",
"IN_BYTES":1,
"OUT_BYTES":5
}

PUT flow/_doc/5
{
"IPV4_SRC_ADDR":"192.168.1.3",
"IN_BYTES":1111,
"OUT_BYTES":2222
}


GET flow/_doc/_search
{
"query":{
"match_all": {}
}
}

POST flow/_doc/_search
{
"size":0,
"aggs": {
"group_by_ip": {
"terms": {
"field": "IPV4_SRC_ADDR.keyword",
"order": {
"inout_sums": "desc"
},
"size": 2
},
"aggs": {
"inout_sums": {
"sum": {
"script": {
"source": "doc.IN_BYTES.value + doc.OUT_BYTES.value"
}
}
}
}
}
}
}

返回结果:
{
"took": 2,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 5,
"max_score": 0,
"hits": []
},
"aggregations": {
"group_by_ip": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 2,
"buckets": [
{
"key": "192.168.1.2",
"doc_count": 2,
"inout_sums": {
"value": 6006
}
},
{
"key": "192.168.1.3",
"doc_count": 1,
"inout_sums": {
"value": 3333
}
}
]
}
}
}

要回复问题请先登录注册