我有一些鱿鱼数据,如下所示:
{"requestresultcode": "TCP_MISS/200"},
{"requestresultcode": "TCP_MISS/200"},
{"requestresultcode": "TCP_MISS/302"},
{"requestresultcode": "TCP_MISS/504"},
{"requestresultcode": "TCP_MISS/200"},
{"requestresultcode": "ERR_CLIENT_ABORT/000"},
{"requestresultcode": "ERR_CLIENT_ABORT/200"},
{"requestresultcode": "ERR_CLIENT_ABORT/302"},
{"requestresultcode": "ERR_CLIENT_ABORT/502"},
{"requestresultcode": "ERR_CONNECT_FAIL/502"}
我想按字段分组,所以我使用了聚合术语
{
"aggs": {
"agg1": {
"terms": {
"field": "cacheresultcode"
}
}
}
}
我得到了结果:
"aggregations": {
"agg1": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "200",
"doc_count": 2011
},
{
"key": "tcp_miss",
"doc_count": 1740
},
{
"key": "err_client_abort",
"doc_count": 705
},
{
"key": "302",
"doc_count": 244
},
{
"key": "000",
"doc_count": 185
},
{
"key": "502",
"doc_count": 24
},
{
"key": "err_connect_fail",
"doc_count": 23
},
{
"key": "504",
"doc_count": 4
}
]
}
}
使用SQL之间有一些不同,我认为应该像
我应该怎么做 ?
谢谢你的帮助 !!
最佳答案
如果您在其他地方使用了分析字段,则可以使用multifields为cacheresultcode设置关键字类型。
映射
{
"mappings": {
"document_type" : {
"properties": {
"cacheresultcode":{
"type": "text",
"fields": {
"keyword" : {
"type": "keyword"
}
}
}
}
}
}
}
查询
{
"aggs": {
"agg1": {
"terms": {
"field": "cacheresultcode.keyword"
}
}
}
}
希望这可以帮助。
关于elasticsearch - Elasticsearch分组依据字段,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/43488995/