elasticsearch - Elasticsearch分组依据字段

Question

我有一些鱿鱼数据，如下所示:

{"requestresultcode": "TCP_MISS/200"},
{"requestresultcode": "TCP_MISS/200"},
{"requestresultcode": "TCP_MISS/302"},
{"requestresultcode": "TCP_MISS/504"},
{"requestresultcode": "TCP_MISS/200"},
{"requestresultcode": "ERR_CLIENT_ABORT/000"},
{"requestresultcode": "ERR_CLIENT_ABORT/200"},
{"requestresultcode": "ERR_CLIENT_ABORT/302"},
{"requestresultcode": "ERR_CLIENT_ABORT/502"},
{"requestresultcode": "ERR_CONNECT_FAIL/502"}

我想按字段分组，所以我使用了聚合术语

{
  "aggs": {
    "agg1": {
      "terms": {
        "field": "cacheresultcode"
      }
    }
  }
}

我得到了结果:

"aggregations": {
    "agg1": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": [
        {
          "key": "200",
          "doc_count": 2011
        },
        {
          "key": "tcp_miss",
          "doc_count": 1740
        },
        {
          "key": "err_client_abort",
          "doc_count": 705
        },
        {
          "key": "302",
          "doc_count": 244
        },
        {
          "key": "000",
          "doc_count": 185
        },
        {
          "key": "502",
          "doc_count": 24
        },
        {
          "key": "err_connect_fail",
          "doc_count": 23
        },
        {
          "key": "504",
          "doc_count": 4
        }
      ]
    }
  }

使用SQL之间有一些不同，我认为应该像

ERR_CLIENT_ABORT / 000

ERR_CLIENT_ABORT / 200

ERR_CLIENT_ABORT / 302

ERR_CLIENT_ABORT / 502

ERR_CONNECT_FAIL / 502

TCP_MISS / 200

TCP_MISS / 302

TCP_MISS / 504

我应该怎么做 ？
谢谢你的帮助 !!

Answer 1

如果您在其他地方使用了分析字段，则可以使用multifields为cacheresultcode设置关键字类型。

映射

{
  "mappings": {
    "document_type" : {
      "properties": {
        "cacheresultcode":{
          "type": "text",
          "fields": {
            "keyword" : {
              "type": "keyword"
            }
          }
        }
      }
    }
  }
}

查询

{
  "aggs": {
    "agg1": {
      "terms": {
        "field": "cacheresultcode.keyword"
      }
    }
  }
}

希望这可以帮助。