kibana:根据匹配id的聚合最小和最大日期筛选结果

nr7wwzry  于 2021-06-10  发布在  ElasticSearch
关注(0)|答案(1)|浏览(514)

我想将事件id传递给kibana/elastic search,并从@timestamp字段中查找此事件id的最小和最大日期。然后我想将日期范围设置为这些日期并显示所有结果。我想这是可行的。
我可以通过这个聚合得到最小值和最大值:

GET /filebeat-*/_search
{
  "query": {
    "match": {
      "event_id": 1234
    }
  },
  "aggs" : {
     "min_date": {"min": {"field": "@timestamp" }},
     "max_date": {"max": {"field": "@timestamp" }}
  }
}

我可以通过搜索特定的日期范围得到结果:

GET /filebeat-*/_search
{
  "query": {
    "bool": {
      "filter": {
          "range": {"@timestamp": {"gte": "2020-09-11T13:35:35.000Z", "lte": "2020-09-24T20:35:07.000Z"}}
      }
    }
  }
}

如何将两者结合起来,以便只更改事件id并具有自动日期范围类型功能?
编辑:
我可以做到:

GET /filebeat-*/_search
{
  "query": {
    "bool": {
      "must": {
        "match": {
          "event_id": 1234
        }
      },
      "filter": {
        "range": {
          "@timestamp": {
            "lte": "2020-09-25",
            "gte": "2020-09-24"
          }
        }
      }
    }
  },
  "aggs": {
    "min_date": {
      "min": {
        "field": "@timestamp"
      }
    },
    "max_date": {
      "max": {
        "field": "@timestamp"
      }
    }
  }
}

但我想做的是:

GET /filebeat-*/_search
{
  "query": {
    "bool": {
      "must": {
        "match": {
          "event_id": 1234
        }
      },
      "filter": {
        "range": {
          "@timestamp": {
            "lte": "max_date",
            "gte": "min_date"
          }
        }
      }
    }
  },
  "aggs": {
    "min_date": {
      "min": {
        "field": "@timestamp"
      }
    },
    "max_date": {
      "max": {
        "field": "@timestamp"
      }
    }
  }
}

但这会导致错误:“未能解析日期字段[min\u date]”是否可以使用聚合的最小值和最大值来定义日期范围?

k3bvogb1

k3bvogb11#

由于您没有提供任何示例索引数据,因此在上应用范围查询 date 类型字段
添加索引Map、数据、搜索查询和搜索结果的工作示例
索引Map:

{
  "mappings": {
    "properties": {
      "date": {
        "type": "date" 
      }
    }
  }
}

索引数据:

{
    "date": "2015-02-10",
    "event_id":"1234"
}
{
    "date": "2015-01-01",
    "event_id":"1235"
}
{
    "date": "2015-02-01",
    "event_id":"1234"
}
{
    "date": "2015-02-01",
    "event_id":"1235"
}
{
    "date": "2015-01-20",
    "event_id":"1234"
}

搜索查询:

{
  "query": {
    "bool": {
      "must": {
        "match": {
          "event_id": 1234
        }
      },
      "filter": {
        "range": {
          "date": {
            "lte": "2015-02-15",
            "gte": "2015-01-11"
          }
        }
      }
    }
  },
  "aggs": {
    "min_date": {
      "min": {
        "field": "date"
      }
    },
    "max_date": {
      "max": {
        "field": "date"
      }
    }
  }
}

搜索结果:

"hits": {
    "total": {
      "value": 3,
      "relation": "eq"
    },
    "max_score": 0.44183272,
    "hits": [
      {
        "_index": "stof_64127765",
        "_type": "_doc",
        "_id": "3",
        "_score": 0.44183272,
        "_source": {
          "date": "2015-02-01",
          "event_id": "1234"
        }
      },
      {
        "_index": "stof_64127765",
        "_type": "_doc",
        "_id": "1",
        "_score": 0.44183272,
        "_source": {
          "date": "2015-02-10",
          "event_id": "1234"
        }
      },
      {
        "_index": "stof_64127765",
        "_type": "_doc",
        "_id": "5",
        "_score": 0.44183272,
        "_source": {
          "date": "2015-01-20",
          "event_id": "1234"
        }
      }
    ]
  },
  "aggregations": {
    "max_date": {
      "value": 1.4235264E12,
      "value_as_string": "2015-02-10T00:00:00.000Z"
    },
    "min_date": {
      "value": 1.421712E12,
      "value_as_string": "2015-01-20T00:00:00.000Z"
    }
  }

相关问题