ElasticSearch 6.x 学习笔记:22.桶聚合


DELETE my-index

PUT my-index

PUT my-index/persion/1

PUT my-index/persion/2

PUT my-index/persion/3
PUT my-index/persion/4

PUT my-index/persion/5
PUT my-index/persion/6
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55

22.0 Bucket aggregations


22.1 Terms Aggregation

A multi-bucket value source based aggregation where buckets are dynamically built - one per unique value.

GET my-index/_search
  "size": 0, 
  "aggs": {
    "group_count": {
      "terms": {"field": "salary"}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  "took": 7,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  "hits": {
    "total": 6,
    "max_score": 0,
    "hits": []
  "aggregations": {
    "group_count": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": [ { "key": 15000, "doc_count": 2 }, { "key": 20000, "doc_count": 2 }, { "key": 17000, "doc_count": 1 }, { "key": 18000, "doc_count": 1 } ] }
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39


GET my-index/_search
  "size": 0, 
  "aggs": {
    "group_count": {
      "terms": {"field": "salary"},
          "avg":{"field": "age"}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  "took": 4,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  "hits": {
    "total": 6,
    "max_score": 0,
    "hits": []
  "aggregations": {
    "group_count": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": [ { "key": 15000, "doc_count": 2, "avg_age": { "value": 26.5 } }, { "key": 20000, "doc_count": 2, "avg_age": { "value": 30.5 } }, { "key": 17000, "doc_count": 1, "avg_age": { "value": 26 } }, { "key": 18000, "doc_count": 1, "avg_age": { "value": 27 } } ] }
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51


GET my-index/_search
  "size": 0, 
  "aggs": {
    "group_count": {
      "terms": {"field": "dep"}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  "error": {
    "root_cause": [
        "type": "illegal_argument_exception",
        "reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [dep] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead." }
    "type": "search_phase_execution_exception",
    "reason": "all shards failed",
    "phase": "query",
    "grouped": true,
    "failed_shards": [
        "shard": 0,
        "index": "my-index",
        "node": "cNWkQjt9SzKFNtyx8IIu-A",
        "reason": { "type": "illegal_argument_exception", "reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [dep] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead." } }
  "status": 400
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26

根据错误提示”Fielddata is disabled on text fields by default. Set fielddata=true on [dep] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.”可知,需要开启fielddata参数。只需要设置某个字段"fielddata": true即可。
此外,根据官方文档提示se the my_field.keyword field for aggregations, sorting, or in scripts,可以尝试my_field.keyword格式用于聚合操作。

GET my-index/_search
  "size": 0, 
  "aggs": {
    "group_count": {
      "terms": {"field": "dep.keyword"}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  "took": 55,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  "hits": {
    "total": 6,
    "max_score": 0,
    "hits": []
  "aggregations": {
    "group_count": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": [ { "key": "AI", "doc_count": 3 }, { "key": "bigdata", "doc_count": 3 } ] }
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31

22.2 Filter Aggregation

Defines a multi bucket aggregation where each bucket is associated with a filter. Each bucket will collect all documents that match its associated filter.


GET my-index/_search
  "size": 0, 
  "aggs": {
    "group_count": {
      "filter": {
        "term":{"gender": "男"}
          "avg":{"field": "age"}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  "took": 2,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  "hits": {
    "total": 6,
    "max_score": 0,
    "hits": []
  "aggregations": {
    "group_count": {
      "doc_count": 4,
      "avg_age": { "value": 28.5 } }
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23

22.3 Filters Aggregation

Defines a single bucket of all the documents in the current document set context that match a specified filter. Often this will be used to narrow down the current aggregation context to a specific set of documents.


PUT /logs/message/_bulk?refresh
{ "index" : { "_id" : 1 } }
{ "body" : "warning: page could not be rendered" }
{ "index" : { "_id" : 2 } }
{ "body" : "authentication error" }
{ "index" : { "_id" : 3 } }
{ "body" : "warning: connection timed out" }

GET logs/_search
  "size": 0,
  "aggs" : {
    "messages" : {
      "filters" : {
        "filters" : {
          "errors" :   { "match" : { "body" : "error"   }},
          "warnings" : { "match" : { "body" : "warning" }}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  "took": 54,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  "hits": {
    "total": 3,
    "max_score": 0,
    "hits": []
  "aggregations": {
    "messages": {
      "buckets": { "errors": { "doc_count": 1 }, "warnings": { "doc_count": 2 } } }
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27


GET my-index/_search
  "size": 0, 
  "aggs": {
    "group_count": {
        "filters": [
          {"match":{"gender": "男"}},
          {"match":{"gender": "女"}}
            "avg":{"field": "age"}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  "took": 5,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  "hits": {
    "total": 6,
    "max_score": 0,
    "hits": []
  "aggregations": {
    "group_count": {
      "buckets": [ { "doc_count": 4, "avg_age": { "value": 28.5 } }, { "doc_count": 2, "avg_age": { "value": 26.5 } } ] }
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33

22.4 Range Aggregation


A multi-bucket value source based aggregation that enables the user to define a set of ranges - each representing a bucket. During the aggregation process, the values extracted from each document will be checked against each bucket range and “bucket” the relevant/matching document. Note that this aggregation includes the from value and excludes the to value for each range.


GET my-index/_search
  "size": 0, 
  "aggs": {
    "group_count": {
      "range": {
        "field": "salary",
        "ranges": [
            {"to": 10000},
            {"from": 10000,"to":20000},  
            {"from": 20000}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  "took": 101,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  "hits": {
    "total": 6,
    "max_score": 0,
    "hits": []
  "aggregations": {
    "group_count": {
      "buckets": [ { "key": "*-10000.0", "to": 10000, "doc_count": 0 }, { "key": "10000.0-20000.0", "from": 10000, "to": 20000, "doc_count": 4 }, { "key": "20000.0-*", "from": 20000, "doc_count": 2 } ] }
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37


GET website/_search
  "size": 0, 
  "aggs": {
    "group_count": {
      "range": {
        "field": "postdate",
        "ranges": [
            {"to": "2016-12-01"},
            {"from": "2016-12-01","to":"2017-01-01"},  
            {"from": "2017-01-01"}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  "took": 24,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  "hits": {
    "total": 9,
    "max_score": 0,
    "hits": []
  "aggregations": {
    "group_count": {
      "buckets": [ { "key": "*-2016-12-01", "to": 1480550400000, "to_as_string": "2016-12-01", "doc_count": 0 }, { "key": "2016-12-01-2017-01-01", "from": 1480550400000, "from_as_string": "2016-12-01", "to": 1483228800000, "to_as_string": "2017-01-01", "doc_count": 7 }, { "key": "2017-01-01-*", "from": 1483228800000, "from_as_string": "2017-01-01", "doc_count": 2 } ] }
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41

22.5 Date Range聚合

A range aggregation that is dedicated for date values. The main difference between this aggregation and the normal range aggregation is that the from and to values can be expressed in Date Math expressions, and it is also possible to specify a date format by which the from and to response fields will be returned. Note that this aggregation includes the from value and excludes the to value for each range.
专用于日期值的范围聚合。 这种聚合和正常范围聚合的主要区别在于,起始和结束值可以在日期数学表达式中表示,并且还可以指定返回起始和结束响应字段的日期格式。 请注意,此聚合包含from值并排除每个范围的值。


GET website/_search
  "size": 0, 
  "aggs": {
    "group_count": {
      "range": {
        "field": "postdate",
        "ranges": [
            {"to": "now-12M/M"},
            {"from": "now-12M/M"}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  "took": 44,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  "hits": {
    "total": 9,
    "max_score": 0,
    "hits": []
  "aggregations": {
    "group_count": {
      "buckets": [ { "key": "*-2017-01-01", "to": 1483228800000, "to_as_string": "2017-01-01", "doc_count": 7 }, { "key": "2017-01-01-*", "from": 1483228800000, "from_as_string": "2017-01-01", "doc_count": 2 } ] }
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33

22.6 Missing聚合


A field data based single bucket aggregation, that creates a bucket of all documents in the current document set context that are missing a field value (effectively, missing a field or having the configured NULL value set). This aggregator will often be used in conjunction with other field data bucket aggregators (such as ranges) to return information for all the documents that could not be placed in any of the other buckets due to missing field data values.
基于字段数据的单桶集合,创建当前文档集上下文中缺少字段值(实际上缺少字段或设置了配置的NULL值)的所有文档的桶。 此聚合器通常会与其他字段数据存储桶聚合器(如范围)一起使用,以返回由于缺少字段数据值而无法放置在其他存储桶中的所有文档的信息。

PUT my-index/persion/7
PUT my-index/persion/8
PUT my-index/persion/9
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20


GET my-index/_search
  "size": 0, 
  "aggs": {
    "noDep_count": {
      "missing": {"field": "salary"}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  "took": 29,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  "hits": {
    "total": 9,
    "max_score": 0,
    "hits": []
  "aggregations": {
    "noDep_count": {
      "doc_count": 3 }
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20

22.7 children聚合


A special single bucket aggregation that selects child documents that have the specified type, as defined in a join field.

这种聚合有一个单一的选择:type - 应该选择的子类型.

下面通过join字段定义了一个单一关系,question 是answer的父文档。

PUT join_index
  "mappings": {
    "doc": {
      "properties": {
        "my_join_field": { 
          "type": "join",
          "relations": {
            "question": "answer" 
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15


PUT join_index/doc/1?refresh
  "text": "This is a question",
  "my_join_field": {
    "name": "question" 

PUT join_index/doc/2?refresh
  "text": "This is a another question",
  "my_join_field": {
    "name": "question"
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15


PUT join_index/doc/3?routing=1&refresh 
  "text": "This is an answer",
  "my_join_field": {
    "name": "answer", 
    "parent": "1" 

PUT join_index/doc/4?routing=1&refresh
  "text": "This is another answer",
  "my_join_field": {
    "name": "answer",
    "parent": "1"
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17


POST join_index/_search
  "size": 0, 
  "aggs": {
    "to-answers": {
        "children": {
          "type" : "answer" 
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  "took": 4,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  "hits": {
    "total": 4,
    "max_score": 0,
    "hits": []
  "aggregations": {
    "to-answers": {
      "doc_count": 2 }
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20

Global Aggregation


Defines a single bucket of all the documents within the search execution context. This context is defined by the indices and the document types you’re searching on, but is not influenced by the search query itself.

NOTE:Global aggregators can only be placed as top level aggregators because it doesn’t make sense to embed a global aggregator within another bucket aggregator.

Histogram Aggregation


IP Range Aggregation


Just like the dedicated date range aggregation, there is also a dedicated range aggregation for IP typed fields:

Nested Aggregationedit


A special single bucket aggregation that enables aggregating nested documents.

For example, lets say we have an index of products, and each product holds the list of resellers - each having its own price for the product. The mapping could look like:





当前余额3.43前往充值 >
领取后你会自动成为博主和红包主的粉丝 规则
钱包余额 0


