elasticsearch - elasticsearch 中简单计数聚合的 400 错误

Question

我正在尝试对 Elasticsearch 中的字段进行简单计数，但一直收到 400 错误...

这是我的查询:

curl -XPOST "http://host/logstash-2016.05.19/_search" -d'
{
   "aggregations": {
      "the_name": {
         "terms": {
            "field": "serviceName"
         },
         "aggregations": {
            "callcnt": {
               "count": {
                  "field": "requestId"
               }
            }
         }
      }
   }
}'

这是我返回的错误:

{
   "error": "SearchPhaseExecutionException[Failed to execute phase [query], all shards failed; shardFailures {[ZWtovPXtTfSuJzg9M3FMjw][logstash-2016.05.19][0]: RemoteTransportException[[es4][inet[/10.149.76.55:9300]][indices:data/read/search[phase/query]]]; nested: SearchParseException[[logstash-2016.05.19][0]: from[-1],size[-1]: Parse Failure [Failed to parse source [{\n   \"aggregations\": {\n      \"the_name\": {\n         \"terms\": {\n            \"field\": \"serviceName\"\n         },\n         \"aggregations\": {\n            \"callcnt\": {\n               \"count\": {\n                  \"field\": \"requestId\"\n               }\n            }\n         }\n      }\n   }\n}\n]]]; nested: SearchParseException[[logstash-2016.05.19][0]: from[-1],size[-1]: Parse Failure [Could not find aggregator type [count] in [callcnt]]]; }{[vSqpHGQXRf6OUIEF_kQ1jg][logstash-2016.05.19][1]: RemoteTransportException[[es2][inet[/10.149.76.138:9300]][indices:data/read/search[phase/query]]]; nested: SearchParseException[[logstash-2016.05.19][1]: from[-1],size[-1]: Parse Failure [Failed to parse source [{\n   \"aggregations\": {\n      \"the_name\": {\n         \"terms\": {\n            \"field\": \"serviceName\"\n         },\n         \"aggregations\": {\n            \"callcnt\": {\n               \"count\": {\n                  \"field\": \"requestId\"\n               }\n            }\n         }\n      }\n   }\n}\n]]]; nested: SearchParseException[[logstash-2016.05.19][1]: from[-1],size[-1]: Parse Failure [Could not find aggregator type [count] in [callcnt]]]; }{[PwDi_CIiQHmOHp34KdWk0A][logstash-2016.05.19][2]: RemoteTransportException[[es3][inet[/10.149.76.97:9300]][indices:data/read/search[phase/query]]]; nested: SearchParseException[[logstash-2016.05.19][2]: from[-1],size[-1]: Parse Failure [Failed to parse source [{\n   \"aggregations\": {\n      \"the_name\": {\n         \"terms\": {\n            \"field\": \"serviceName\"\n         },\n         \"aggregations\": {\n            \"callcnt\": {\n               \"count\": {\n                  \"field\": \"requestId\"\n               }\n            }\n         }\n      }\n   }\n}\n]]]; nested: SearchParseException[[logstash-2016.05.19][2]: from[-1],size[-1]: Parse Failure [Could not find aggregator type [count] in [callcnt]]]; }{[PwDi_CIiQHmOHp34KdWk0A][logstash-2016.05.19][3]: RemoteTransportException[[es3][inet[/10.149.76.97:9300]][indices:data/read/search[phase/query]]]; nested: SearchParseException[[logstash-2016.05.19][3]: from[-1],size[-1]: Parse Failure [Failed to parse source [{\n   \"aggregations\": {\n      \"the_name\": {\n         \"terms\": {\n            \"field\": \"serviceName\"\n         },\n         \"aggregations\": {\n            \"callcnt\": {\n               \"count\": {\n                  \"field\": \"requestId\"\n               }\n            }\n         }\n      }\n   }\n}\n]]]; nested: SearchParseException[[logstash-2016.05.19][3]: from[-1],size[-1]: Parse Failure [Could not find aggregator type [count] in [callcnt]]]; }{[PwDi_CIiQHmOHp34KdWk0A][logstash-2016.05.19][4]: RemoteTransportException[[es3][inet[/10.149.76.97:9300]][indices:data/read/search[phase/query]]]; nested: SearchParseException[[logstash-2016.05.19][4]: from[-1],size[-1]: Parse Failure [Failed to parse source [{\n   \"aggregations\": {\n      \"the_name\": {\n         \"terms\": {\n            \"field\": \"serviceName\"\n         },\n         \"aggregations\": {\n            \"callcnt\": {\n               \"count\": {\n                  \"field\": \"requestId\"\n               }\n            }\n         }\n      }\n   }\n}\n]]]; nested: SearchParseException[[logstash-2016.05.19][4]: from[-1],size[-1]: Parse Failure [Could not find aggregator type [count] in [callcnt]]]; }]",
   "status": 400
}

我也在使用 Sense chrome 扩展来运行查询，所以不确定这是否会有所不同。

查询 elasticsearch 的新手，所以我尝试遵循一些在线指南，但没有得到任何进展......我可以成功地进行简单查询，但似乎无法弄清楚聚合......

编辑:

如果它是一个 sql 查询，我试图用聚合做的是得到类似这样的东西:

select serviceName, count(requestId) as cnt
from tableA
group by serviceName

结果:

serviceName | cnt
-----------------
srvc1          32
srvc3          18
srvc7          75
etc...

Answer 1

问题是没有count聚合。您需要使用的聚合称为 value_count

查看错误:

Parse Failure [Could not find aggregator type [count] in [callcnt]]];

改用它，它会起作用:

curl -XPOST "http://host/logstash-2016.05.19/_search" -d '{
   "aggregations": {
      "the_name": {
         "terms": {
            "field": "serviceName"
         },
         "aggregations": {
            "callcnt": {
               "value_count": {
                  "field": "requestId"
               }
            }
         }
      }
   }
}'

更新

根据您的评论，这里是您可以做您需要的事情的方法，即使用 terms 子聚合而不是 value_count 子聚合。

curl -XPOST "http://host/logstash-2016.05.19/_search" -d '{
   "aggregations": {
      "the_name": {
         "terms": {
            "field": "serviceName"
         },
         "aggregations": {
            "callcnt": {
               "terms": {
                  "field": "requestId"
               }
            }
         }
      }
   }
}'