我有以下ES查询来计算最近30天的主机平均CPU。
es_query = {
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{"range": {"@timestamp": {"gte": "now-30d",}}},
{"query_string": {"query": 'hostname: myhost',"analyze_wildcard": True}}
],
"should": [
{"match": {"metricset.name": "cpu"}}
]
}
}
}
},
"aggs": {
"group_by_time_interval": {
"date_histogram": {
"field": "@timestamp",
"interval": "1h",
"time_zone": "PST8PDT",
"min_doc_count": 1
},
"aggs": {
"cpu_used_avg_pct": {"avg": {"field": "system.cpu.total.pct"}}
}
},
"avg_monthly_cpu_pct": {
"avg_bucket": {
"buckets_path": "group_by_time_interval>cpu_used_avg_pct"
}
}
}
}
执行后,它会按预期返回最近30天的平均CPU。
问题是:仅通过扩展上述查询,我还如何计算最近7天的平均CPU?
当前,我的愚蠢解决方案是复制到另一个查询,将“gte:now-30d”替换为“gte:now-7d”,然后再次运行,这非常耗时。
谢谢。
亚历克斯
最佳答案
您最容易做的就是添加最近7天过滤的另一个聚合:
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-30d"
}
}
},
{
"query_string": {
"query": "hostname: myhost",
"analyze_wildcard": true
}
}
],
"should": [
{
"match": {
"metricset.name": "cpu"
}
}
]
}
}
}
},
"aggs": {
"group_by_time_interval": {
"date_histogram": {
"field": "@timestamp",
"interval": "1h",
"time_zone": "PST8PDT",
"min_doc_count": 1
},
"aggs": {
"cpu_used_avg_pct": {
"avg": {
"field": "system.cpu.total.pct"
}
}
}
},
"avg_monthly_cpu_pct": {
"avg_bucket": {
"buckets_path": "group_by_time_interval>cpu_used_avg_pct"
}
},
"last_7_days": {
"filter": {
"range": {
"@timestamp": {
"gte": "now-7d"
}
}
},
"aggs": {
"last_7_days_interval": {
"date_histogram": {
"field": "@timestamp",
"interval": "1h",
"time_zone": "PST8PDT",
"min_doc_count": 1
},
"aggs": {
"cpu_used_avg_pct": {
"avg": {
"field": "system.cpu.total.pct"
}
}
}
},
"avg_monthly_cpu_pct": {
"avg_bucket": {
"buckets_path": "last_7_days_interval>cpu_used_avg_pct"
}
}
}
}
}
}
关于elasticsearch - Elasticsearch-计算子范围聚合,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52586348/