{
"query" : {
"constant_score" : {
"filter" : {
"range" : {
"@timestamp" : {
"gte" : 1490112000000,//或者"gt": "now-2m", "lt": "now"
"lte" : 1490113000000
}
}
}
}
},
"aggs" : {
"by_time" : {
"date_histogram" : {
"field" : "@timestamp",
"interval" : "5s"
}
}
}
}
或者寫成類似如下格式
{ "size" : 0, "query":{ "match": { "make": "ford" } }, "aggs":{ "recent_sales": { "filter": { "range": { "sold": { "from": "now-1M" } } }, "aggs": { "average_price":{ "avg": { "field": "price" } } } } } }
按給定時間范圍,2個字段聯合aggs查詢
{ "size" : 0, "query" : { "constant_score" : { "filter" : { "range" : { "@timestamp" : { "gte" : 1490175000000, "lte" : 1490185000000 } } } } }, "aggs" : { "group_by_state" : { "terms" : { "field" : "client_id.keyword" }, "aggs" : { "group_by_code" : { "terms" : { "field" : "message_json.code" } } } } } }
總結:聚合API的調用格式
"aggregations" : { // 表示聚合操作,可以使用aggs替代 "<aggregation_name>" : { // 聚合名,可以是任意的字符串。用做響應的key,便於快速取得正確的響應數據。 "<aggregation_type>" : { // 聚合類別,就是各種類型的聚合,如min等 <aggregation_body> // 聚合體,不同的聚合有不同的body } [,"aggregations" : { [<sub_aggregation>]+ } ]? // 嵌套的子聚合,可以有0或多個 } [,"<aggregation_name_2>" : { ... } ]* // 另外的聚合,可以有0或多個 也可以嵌套query和filter }
相關博客文檔:
Logstash+ElasticSearch處理mysql慢查詢日志
8.ElasticSearch預警服務-Watcher詳解-監控Marvel數據
Filter Bucket https://www.elastic.co/guide/en/elasticsearch/guide/master/_filter_bucket.html