获取事件的细节发生在所需持续时间中

发布于 2025-02-03 05:59:54 字数 1483 浏览 3 评论 0 原文

在Elasticsearch中，我仅在事件名称发生 x time n 天或特定持续时间时才需要获取记录。

样本索引数据如下：

{"event":{"name":"event1"},"timestamp":"2010-06-20"}

我能够在特定持续时间内获取所需事件名称的最小发生记录。但是，我想要确切的匹配计数，而不是最低限度。这是我尝试的：

{
  "_source": true,
  "size": 0, 
  "query": { 
    "bool": {
      "filter":
      {
        "range": { "timestamp": { "gte": "2010", "lte": "2016" }}
      },
      "must":
      [
        { "match": { "event.name.keyword": "event1" }}
      ]
    }
  },
  "aggs": {
    "occurrence": {
      "terms": {
        "field": "event.name.keyword",
        "min_doc_count": 5,
        "size": 10
      }
    }
  }
}

实现同样的方法是使用 value_count 。但是在这里，我也无法添加条件以匹配确切的事件。

{
  "_source": true,
  "size": 0, 
  "query": { 
    "bool": {
      "filter":
      {
        "range": { "timestamp": { "gte": "2010", "lte": "2016" }}
      },
      "must":
      [
        { "match": { "event.name.keyword": "event1" }}
      ]
    }
  },
  "aggs": {
    "occurrence": {
      "value_count": {
        "field": "event.name.keyword"
      }
    }
  }
}

它提供了输出为（简短删除其他输出）：

  "aggregations" : {
    "occurrence" : {
      "value" : 2
    }
  }

但是我需要在AGGR的输出中添加条件（出现）以与此事件完全匹配，以便我只能获取记录如果事件发生恰好发生X时间。

一些ES专家可以帮助我吗？

原文

In ElasticSearch, I need to fetch the records only if the Event name occurred exactly x times in n days or a particular duration.

Sample index data is as below:

{"event":{"name":"event1"},"timestamp":"2010-06-20"}

I'm able to get the records of the minimum occurrence of desired event name in a particular duration. But instead of minimum, I want the exact matching count. Here's what I tried:

{
  "_source": true,
  "size": 0, 
  "query": { 
    "bool": {
      "filter":
      {
        "range": { "timestamp": { "gte": "2010", "lte": "2016" }}
      },
      "must":
      [
        { "match": { "event.name.keyword": "event1" }}
      ]
    }
  },
  "aggs": {
    "occurrence": {
      "terms": {
        "field": "event.name.keyword",
        "min_doc_count": 5,
        "size": 10
      }
    }
  }
}

Another way to achieve the same is by using value_count. But here as well, I'm unable to add a condition to match exact occurrences.

{
  "_source": true,
  "size": 0, 
  "query": { 
    "bool": {
      "filter":
      {
        "range": { "timestamp": { "gte": "2010", "lte": "2016" }}
      },
      "must":
      [
        { "match": { "event.name.keyword": "event1" }}
      ]
    }
  },
  "aggs": {
    "occurrence": {
      "value_count": {
        "field": "event.name.keyword"
      }
    }
  }
}

It provides the output as (Other output is removed for brevity):

  "aggregations" : {
    "occurrence" : {
      "value" : 2
    }
  }

But I need to add a condition in the output of aggr (occurrence here) to exactly match the occurrence so that I can get the records only if the event occurred exactly x times.

Can some ES experts help me on this?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

我一向站在原地 2025-02-10 05:59:54

您可以使用并添加条件，如下所示。以下查询将为您提供总共5次的事件。您可以为要应用的任何过滤器添加一个查询子句，例如日期范围或事件名称或其他任何内容。

{
  "size": 0,
  "aggs": {
    "count": {
      "terms": {
        "field": "event.name.keyword",
        "size": 10
      },
      "aggs": {
        "val_count": {
          "value_count": {
            "field": "event.name.keyword"
          }
        },
        "selector": {
          "bucket_selector": {
            "buckets_path": {
              "my_var1": "val_count"
            },
            "script": "params.my_var1 == 5"
          }
        }
      }
    }
  }
}

您将获得以下类似的结果：

"aggregations" : {
    "count" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "event1",
          "doc_count" : 5,
          "val_count" : {
            "value" : 5
          }
        },
        {
          "key" : "event8",
          "doc_count" : 5,
          "val_count" : {
            "value" : 5
          }
        }
      ]
    }
  }

You can use Bucket Selector Aggregation and add condition as shown below for the count. Below query will give you only event which is occurs total 5 times. You can add a query clause for whatever filter you want to apply like date range or event name or anything else.

{
  "size": 0,
  "aggs": {
    "count": {
      "terms": {
        "field": "event.name.keyword",
        "size": 10
      },
      "aggs": {
        "val_count": {
          "value_count": {
            "field": "event.name.keyword"
          }
        },
        "selector": {
          "bucket_selector": {
            "buckets_path": {
              "my_var1": "val_count"
            },
            "script": "params.my_var1 == 5"
          }
        }
      }
    }
  }
}

You will get result something like below:

"aggregations" : {
    "count" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "event1",
          "doc_count" : 5,
          "val_count" : {
            "value" : 5
          }
        },
        {
          "key" : "event8",
          "doc_count" : 5,
          "val_count" : {
            "value" : 5
          }
        }
      ]
    }
  }

回复收藏 0 原文

~没有更多了~