我在ElasticSearch中有以下文档:
"ip": "192.168.10.12", "@timestamp": "2017-08-10T00:00:00.000Z", "states": "newyork", "user" : "admin"
"ip": "192.168.10.12", "@timestamp": "2017-08-10T01:25:00.000Z", "states": "California", "user" : "guest"
我试图按用户使用Elasticsearch术语聚合
我在这里:
{
"size":0,
"query":{
"bool":{
"must":[
{
"term":{
"user":"admin"
}
},
{
"range":{
"@timestamp":{
"gte": "2017-08-10T00:00:00.000Z",
"lte": "2017-08-10T04:58:00.000Z"
}
}
}
]
}
},
"aggs":{
"states":{
"terms":{
"field":"states",
"min_doc_count":8
}
}
}
}
从查询中返回:
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"failed": 0
},
"hits": {
"total": 2,
"max_score": 0,
"hits": []
},
"aggregations": {
"states": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "New York",
"doc_count": 200
},
{
"key": "California",
"doc_count": 10
},
{
"key": "North Dakota",
"doc_count": 125
}
]
}
}
}
我想在每个存储桶中获得最小的@timestamp,
但是从返回中我可以让每个存储桶“最小” @timestamp吗?
最佳答案
您可以简单地添加min指标子聚合
"aggs":{
"states":{
"terms":{
"field":"states",
"min_doc_count":8
},
"aggs": {
"min_timestamp": {
"min": {
"field": "@timestamp"
}
}
}
}
}
关于elasticsearch - ElasticSearch-如何在每个聚合桶中获得最小时间戳?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/45707286/