嵌套聚合中子聚合是不是只对上一级聚合显示的bucket的数据进行聚合,对于处在sum_other_doc_count中的bucket不进行聚合了
Elasticsearch | 作者 joycer | 发布于2018年07月05日 | 阅读数:3373
我的搜索代码如下:
POST /dhcp_log_20180703/_search
{
"size": 0,
"query": {
"range": {
"accTime.keyword": {
"gte": "2018/07/03 00:50:00+08:00",
"lte": "2018/07/03 00:51:00+08:00"
}
}
},
"aggs": {
"mac": {
"terms": {
"field": "mac.keyword"
},
"aggs": {
"reqType_num":{
"cardinality": {
"field": "reqType.keyword"
}
},
"reqType": {
"terms": {
"field": "reqType.keyword"
},
"aggs": {
"filter_reqType": {
"filter": {
"terms": {
"reqType.keyword": ["1","101"]
}
}
}
}
},
"after_filter_doc":{
"sum_bucket": {
"buckets_path": "reqType>filter_reqType._count"
}
},
"result":{
"bucket_selector": {
"buckets_path": {
"count":"_count",
"after_filter_doc":"after_filter_doc",
"reqTypeNum":"reqType_num"
},
"script":"(params.count==params.after_filter_doc)&&(params.reqTypeNum==2)"
}
}
}
}
}
}
该代码是为了搜索出在某时间段内找出符合reqType有且仅有1和101的mac,
搜索结果如下:
{
"took": 16,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 14006,
"max_score": 0,
"hits": []
},
"aggregations": {
"mac": {
"doc_count_error_upper_bound": 26,
"sum_other_doc_count": 13738,
"buckets": []
}
}
}
可以看出给出的结果并没有找到,但是在实际数据中发现确实存在这样的mac,然后发现该mac出现在sum_other_doc_count里。也就是说在mac的terms聚合时,因为文档数太小,并没有显示出来,是不是意味着在这个里面的mac将不会进行下面的子聚合分析。我该如何解决?
POST /dhcp_log_20180703/_search
{
"size": 0,
"query": {
"range": {
"accTime.keyword": {
"gte": "2018/07/03 00:50:00+08:00",
"lte": "2018/07/03 00:51:00+08:00"
}
}
},
"aggs": {
"mac": {
"terms": {
"field": "mac.keyword"
},
"aggs": {
"reqType_num":{
"cardinality": {
"field": "reqType.keyword"
}
},
"reqType": {
"terms": {
"field": "reqType.keyword"
},
"aggs": {
"filter_reqType": {
"filter": {
"terms": {
"reqType.keyword": ["1","101"]
}
}
}
}
},
"after_filter_doc":{
"sum_bucket": {
"buckets_path": "reqType>filter_reqType._count"
}
},
"result":{
"bucket_selector": {
"buckets_path": {
"count":"_count",
"after_filter_doc":"after_filter_doc",
"reqTypeNum":"reqType_num"
},
"script":"(params.count==params.after_filter_doc)&&(params.reqTypeNum==2)"
}
}
}
}
}
}
该代码是为了搜索出在某时间段内找出符合reqType有且仅有1和101的mac,
搜索结果如下:
{
"took": 16,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 14006,
"max_score": 0,
"hits": []
},
"aggregations": {
"mac": {
"doc_count_error_upper_bound": 26,
"sum_other_doc_count": 13738,
"buckets": []
}
}
}
可以看出给出的结果并没有找到,但是在实际数据中发现确实存在这样的mac,然后发现该mac出现在sum_other_doc_count里。也就是说在mac的terms聚合时,因为文档数太小,并没有显示出来,是不是意味着在这个里面的mac将不会进行下面的子聚合分析。我该如何解决?
3 个回复
cjzhangfu
赞同来自:
zyb1994111
赞同来自:
JackGe
赞同来自: