我试图获取两个日志条目(如RequestExecuted和RequestReceived)之间的时差,并使用文件名MessageIdentifier。这些值由名为TransactionId的唯一ID链接。下面是我做逻辑的代码。
int timetaken=0;
int start=0;
String TransactionId;
int end=0;
for(int i = 0; i < 10; ++i){
if (doc['dissect.MessageIdentifier'].value[i]=='RequestReceived') {
start=params._source.dissect.timestamp[i];
TransactionId=params._source.dissect.TransactionId[i];
}
if( doc['dissect.MessageIdentifier'].value[i] =='RequestExecuted'
&& params._source.dissect.TransactionId == TransactionId) {
end=params._source.dissect.timestamp[i];
timetaken = end - start;
return timetaken;
}
}
当我编译我的脚本时,它给了我一个错误:
lang": "painless",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "Attempting to address a non-array-like type [java.lang.String] as an array."
这是索引片段:
您的帮助将非常重要。
最佳答案
假设dissect字段是嵌套对象的数组,则可以执行以下操作:
创建索引
PUT dissect
{
"mappings": {
"properties": {
"dissect" : {
"type": "nested",
"properties" : {
"MessageIdentifier" : {
"type" : "text",
"fielddata": true,
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"TransationId" : {
"type" : "text",
"fielddata": true,
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"timestamp" : {
"type" : "date"
}
}
}
}
}
}
同步样本
POST dissect/_doc
{
"dissect": [
{
"MessageIdentifier": "abc",
"timestamp": 200,
"TransationId": "xyz"
},
{
"MessageIdentifier": "RequestReceived",
"timestamp": 300,
"TransationId": "xyz"
},
{
"MessageIdentifier": "RequestExecuted",
"timestamp": 400,
"TransationId": "xyz"
}
]
}
运行您的脚本字段
GET dissect/_search
{
"script_fields": {
"timetaken": {
"script": {
"source": """
int timetaken = 0;
int start = 0;
String TransactionId;
int end = 0;
for (def dissect_item : params._source['dissect']) {
if (dissect_item['MessageIdentifier'] == 'RequestReceived') {
start = dissect_item['timestamp'];
TransactionId = dissect_item['TransactionId'];
}
if( dissect_item['MessageIdentifier'] =='RequestExecuted'
&& dissect_item['TransactionId'] == TransactionId) {
end = dissect_item['timestamp'];
timetaken = end - start;
return timetaken;
}
}
"""
}
}
}
}
屈服
[
{
"_index":"dissect",
"_type":"_doc",
"_id":"_v7u43EBW-D5QnrWmjtM",
"_score":1.0,
"fields":{
"timetaken":[
100 <-----
]
}
}
]
关键要点:您不想迭代硬编码长度10,而只是
for (def dissect_item : params._source['dissect'])
关于elasticsearch - 通过无痛脚本获得两个日志条目之间的时差,这些条目之间用唯一的ID分隔,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61597329/