查询:
GET test5/_search
{
"size": 1,
"aggregations": {
"Location": {
"terms": {
"field": "Location"
}
}
}
}
输出:
{
"took": 5,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 19,
"max_score": 1,
"hits": [
{
"_index": "test5",
"_type": "xxxxxx",
"_id": "AVLOBXbvFe2VQdUY7tZu",
"_score": 1,
"_source": {
fired",
"Host": "N/A",
"Mac": "N/A",
"Destination IP": "xxx.xxx.xxx.xxx",
"Location": "United States",
"Events/Flows": "107",
"Asset Name": "N/A",
"Custom Rule XXXX :": "xxxxxxfp",
"User": "N/A"
}
}
]
},
"aggregations": {
"Location": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "other",
"doc_count": 11
},
{
"key": "states",
"doc_count": 2
},
{
"key": "united",
"doc_count": 2
}
]
}
}
}
您会注意到,美国已被当作两个键。如何获得美国作为单键?
最佳答案
您需要确保Location字段为not_analyzed,否则其值将被ES标记和分析,以便United States成为您看到的两个标记:united和states
当creating your mapping时,您需要确保您的Location字段如下所示:
curl -XPUT localhost:9200/test5/_mapping/xxxxxx -d '{
"properties": {
... your other fields...
"Location": {
"type": "string",
"index": "not_analyzed" <--- make sure to add this
}
}
}
关于elasticsearch - 如何使用ElasticSearch处理聚合?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35442651/