整体查询条件
{
"size": 0,
"query": {
"bool": {
"must": [
{
"range": {
"attack_time": {
"from": "2023-02-07 15:00:00",
"to": "2023-02-07 16:00:03",
"include_lower": true,
"include_upper": true,
"boost": 1
}
}
},
{
"terms": {
"alarm_project_id": [
1,
5
],
"boost": 1
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {
"agg_composite_project_ip": {
"composite": {
"size": 10000000,
"sources": [
{
"ip": {
"terms": {
"field": "ip",
"missing_bucket": false,
"order": "asc"
}
}
},
{
"project_id": {
"terms": {
"field": "alarm_project_id",
"missing_bucket": false,
"order": "asc"
}
}
}
]
},
"aggregations": {
"agg_max_time": {
"max": {
"field": "attack_time"
}
},
"agg_max_threat_level": {
"max": {
"field": "alarm_project_threat_level"
}
},
"agg_bucket_sort_page": {
"bucket_sort": {
"sort": [
{
"agg_max_time": {
"order": "desc"
}
}
],
"from": 0,
"size": 10,
"gap_policy": "SKIP"
}
}
}
},
"agg_cardinality_project_ip": {
"cardinality": {
"script": {
"source": "doc['alarm_project_id'].value + doc['ip'].value",
"lang": "painless"
}
}
}
}
}
核心功能Java代码
分页排序
List<FieldSortBuilder> sorts = new ArrayList<>();
FieldSortBuilder fieldSort = null;
Boolean threatLevelSortDesc = alarmDataSearchReq.getThreatLevelSortDesc();
if (threatLevelSortDesc != null) {
fieldSort = new FieldSortBuilder("agg_max_threat_level");
fieldSort.order(threatLevelSortDesc ? SortOrder.DESC : SortOrder.ASC);
} else {
fieldSort = new FieldSortBuilder("agg_max_time");
Boolean timeSortDesc = alarmDataSearchReq.getTimeSortDesc();
if (timeSortDesc == null || timeSortDesc) {
fieldSort.order(SortOrder.DESC);
} else {
fieldSort.order(SortOrder.ASC);
}
}
sorts.add(fieldSort);
Integer size = pageReq.getPageSize();
Integer from = (pageReq.getPage() - 1) * size;
CompositeAggregationBuilder compositeAggregationBuilder = buildProjectIpCompositeAggregation();
compositeAggregationBuilder
.subAggregation(AggregationBuilders.max("agg_max_threat_level")
.field(FILED_PROJECT_THREAT_LEVEL))
.subAggregation(PipelineAggregatorBuilders
.bucketSort("agg_bucket_sort_page", sorts).from(from).size(size));
复合聚合
List<CompositeValuesSourceBuilder<?>> listValuesSource = new ArrayList<>();
TermsValuesSourceBuilder valuesSourceIp = new TermsValuesSourceBuilder("ip");
valuesSourceIp.field("ip");
listValuesSource.add(valuesSourceIp);
TermsValuesSourceBuilder valuesSourceProject = new TermsValuesSourceBuilder("project_id");
valuesSourceProject.field(FILED_PROJECT_ID);
listValuesSource.add(valuesSourceProject);
CompositeAggregationBuilder compositeAggregationBuilder = AggregationBuilders.composite(
"agg_composite_project_ip", listValuesSource);
compositeAggregationBuilder.size(10000000).subAggregation(AggregationBuilders
.max("agg_max_time").field("attack_time"));
聚合数据查询
List<AlarmDataProjectIpDTO> list = new ArrayList<>();
ParsedComposite parsedComposite = search.getAggregations().get("agg_composite_project_ip");
List<ParsedComposite.ParsedBucket> buckets = parsedComposite.getBuckets();
for (ParsedComposite.ParsedBucket bucket : buckets) {
AlarmDataProjectIpDTO alarmDataProjectIpDTO = new AlarmDataProjectIpDTO();
Map<String, Object> key = bucket.getKey();
alarmDataProjectIpDTO.setIp(key.get("ip").toString());
alarmDataProjectIpDTO.setProjectId((Integer) key.get("project_id"));
String maxAttackTime = ((Max) bucket.getAggregations()
.get("agg_max_time")).getValueAsString();
alarmDataProjectIpDTO.setTime(maxAttackTime);
alarmDataProjectIpDTO.setCount(bucket.getDocCount());
list.add(alarmDataProjectIpDTO);
}
聚合统计查询
ParsedCardinality parsedCardinality = search.getAggregations().get("agg_cardinality_project_ip");