以下操作都是在kibana的Dev Tools中进行。
1. 日期range筛选
基本用法:
GET /my_index/_search
{
"query":
{"bool":
{"must":
[{"match_phrase":{"Service":{"query":"service-001"}}},{"match_phrase":{"Location":{"query":"xxx"}}}],
"filter": {
"range" : {
"timestamp" : {
"gt" : "2014-01-01 00:00:00",
"lt" : "2014-01-07 00:00:00"
}
}
}
}
},
"_source":["ConcurrentSession","timestamp"]
}range接受以下参数:
|
| Greater-than or equal to |
|
| Greater-than |
|
| Less-than or equal to |
|
| Less-than |
距离当前时间的计算(最近一小时):
"range" : {
"timestamp" : {
"gt" : "now-1h"
}
}对于实际日期需要加双竖线||. 比如:
"range" : {
"timestamp" : {
"gt" : "2018-01-01 00:00:00",
"lt" : "2018-01-01 00:00:00||+1M",
"format": "yyyy-MM-dd HH:mm:ss"
}
}2. Group by以及按field累加操作
例如:将timestamp相同的所有ConcurrentSession分别累加。
{
"query": {"bool":
{"must":
[{"match_phrase":{"Service":{"query":"service-001"}}},
{"exists" : { "field" : "ConcurrentSession" }}]
}
},
"size":1000,
"sort": [
{
"timestamp": {
"order": "desc"
}
}
],
"_source":["ConcurrentSession","timestamp"],
"aggregations": {
"group_by_timestamp": {
"terms": {
"field": "timestamp",
"size": 1000,
"order" : { "_key" : "asc" }
},
"aggregations": {
"sum_on_concurrentsession": {
"sum": {
"field": "ConcurrentSession"
}
}
}
}
}
}查询结果类似于下面的结果,注意,hits里面针对同一个时间戳可能会有多条数据,比如service-001在多台机器上做load balance,每台机器都会产生concurrent session,最终在做aggregation的时候,会把相同时间戳的多条数据通过sum操作进行累加。
{
"hits": ......
"aggregations" : {
"group_by_timestamp" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : 1546156800000,
"key_as_string" : "2018-01-01T08:00:00.000Z",
"doc_count" : 4,
"sum_on_concurrentsession" : {
"value" : 2001
}
},
{
"key" : 1546157700000,
"key_as_string" : "2018-01-01T09:00:00.000Z",
"doc_count" : 4,
"sum_on_concurrentsession" : {
"value" : 2002
}
}
]
}
}
}参考:https://www.elastic.co/guide/en/elasticsearch/guide/current/_ranges.html
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
