行动是治愈恐惧的良药,而犹豫、拖延将不断滋养恐惧。

es统计相关问题

Elasticsearch | 作者 hel2o | 发布于2019年02月14日 | 阅读数:1696
分享到:QQ空间新浪微博微信QQ好友印象笔记有道云笔记
结构如下
{

  "mapping": {

    "usgtrafficlog": {

      "properties": {

        "closeReason": {

          "type": "keyword"

        },

        "destinationIp": {

          "type": "keyword"

        },

        "destinationPort": {

          "type": "long"

        },

        "protocol": {

          "type": "keyword"

        },

        "rcvBytes": {

          "type": "long"

        },

        "securityPolicyName": {

          "type": "keyword"

        },

        "sendBytes": {

          "type": "long"

        },

        "sourceIp": {

          "type": "keyword"

        },

        "sourceNATIp": {

          "type": "keyword"

        },

        "sourceNATPort": {

          "type": "long"

        },

        "sourcePort": {

          "type": "long"

        },

        "timestamp": {

          "type": "long"

        }

      }

    }

  }

}

我想统计出前10名的sourceIp对应的rcvBytes值的和在特定的timestamp内
请问有相关的DSL语句例子吗?感觉DSL超级难写!

 
2019-02-14 添加评论

没有找到相关结果

    已邀请:

    rochy - rochy_he

    赞同来自: elasticStack 

    {
    
    "size": 0,
    
    "query": {
    
        "bool": {
    
            "filter": [{
    
                "range": {
    
                    "timestamp": {
    
                        "from": 155013100000,
    
                        "to": 155013200000,
    
                        "include_lower": true,
    
                        "include_upper": true,
    
                        "boost": 1.0
    
                    }
    
                }
    
            }],
    
            "adjust_pure_negative": true,
    
            "boost": 1.0
    
        }
    
    },
    
    "aggregations": {
    
        "sourceIp": {
    
            "terms": {
    
                "field": "sourceIp",
    
                "size": 10,
    
                "min_doc_count": 1,
    
                "shard_min_doc_count": 0,
    
                "show_term_doc_count_error": false,
    
                "order": [{
    
                    "sum": "desc"
    
                }, {
    
                    "_key": "asc"
    
                }]
    
            },
    
            "aggregations": {
    
                "sum": {
    
                    "sum": {
    
                        "field": "rcvBytes"
    
                    }
    
                }
    
            }
    
        }
    
    }
    
}
    2019-02-14 1 2
    分享

    hel2o

    赞同来自:

    如果要rcvBytes和sendBytes的和 要怎么写呢?
    2019-02-22 0 0
    分享

    cl1321 - 85后IT女

    赞同来自:

    求和的话,试下这个: 
    GET my_index/_search
    
{
    
  "script_fields": {
    
    "my_doubled_field": {
    
      "script": {
    
        "lang":   "expression",
    
        "source": "doc['rcvBytes'] + doc['sendBytes']"
    
      }
    
    }
    
  }
    
}
    参考: How to use scripts
    2019-02-22 0 0
    分享
    为什么被折叠? 0 个回复被折叠

    要回复问题请先登录注册

    Copyright © 2024 · CC BY-NC-SA 3.0

    本站服务器及带宽由 提供赞助