如何排除单据数等于0的区间

wfveoks0  于 2022-10-06  发布在  ElasticSearch
关注(0)|答案(1)|浏览(159)

我想从日期直方图聚合响应中排除那些文档计数等于0的存储桶。然后,获取过滤后的桶的数量。

查询为:

GET metricbeat-*/_search
{
  "size": 0,
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "host.cpu.usage": {
              "gte": 0.8
            }
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2022-09-22T10:16:00.000Z",
              "lte": "2022-09-22T10:18:00.000Z"
            }
          }
        }
      ]
    }
  },
  "aggs": {
    "hostName": {
      "terms": {
        "field": "host.name"
      },
      "aggs": {
        "docsOverTimeFrame": {
          "date_histogram": {
            "field": "@timestamp",
            "fixed_interval": "10s"
          }
        },
        "min_bucket_selector": {
          "bucket_selector": {
            "buckets_path": {
              "count": "docsOverTimeFrame._bucket_count" 
            },
            "script": {
              "source": "params.count == 12"
            }
          }
        }
      }
    }
  }
}

我现在得到的回应是:

{
  "took" : 8,
  "timed_out" : false,
  "_shards" : {
    "total" : 3,
    "successful" : 3,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 38,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  },
  "aggregations" : {
    "hostName" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "datahot01",
          "doc_count" : 3,
          "docsOverTimeFrame" : {
            "buckets" : [
              {
                "key_as_string" : "2022-09-22T10:16:00.000Z",
                "key" : 1663841760000,
                "doc_count" : 1
              },
              {
                "key_as_string" : "2022-09-22T10:16:10.000Z",
                "key" : 1663841770000,
                "doc_count" : 1
              },
              {
                "key_as_string" : "2022-09-22T10:16:20.000Z",
                "key" : 1663841780000,
                "doc_count" : 0
              },
              {
                "key_as_string" : "2022-09-22T10:16:30.000Z",
                "key" : 1663841790000,
                "doc_count" : 0
              },
              {
                "key_as_string" : "2022-09-22T10:16:40.000Z",
                "key" : 1663841800000,
                "doc_count" : 0
              },
              {
                "key_as_string" : "2022-09-22T10:16:50.000Z",
                "key" : 1663841810000,
                "doc_count" : 0
              },
              {
                "key_as_string" : "2022-09-22T10:17:00.000Z",
                "key" : 1663841820000,
                "doc_count" : 0
              },
              {
                "key_as_string" : "2022-09-22T10:17:10.000Z",
                "key" : 1663841830000,
                "doc_count" : 0
              },
              {
                "key_as_string" : "2022-09-22T10:17:20.000Z",
                "key" : 1663841840000,
                "doc_count" : 0
              },
              {
                "key_as_string" : "2022-09-22T10:17:30.000Z",
                "key" : 1663841850000,
                "doc_count" : 0
              },
              {
                "key_as_string" : "2022-09-22T10:17:40.000Z",
                "key" : 1663841860000,
                "doc_count" : 0
              },
              {
                "key_as_string" : "2022-09-22T10:17:50.000Z",
                "key" : 1663841870000,
                "doc_count" : 0
              }
            ]
          }
        }
      ]
    }
  }
}

因此,如果我能够排除doccount=0的存储桶,那么根据存储桶的数量(即存储桶计数),我想检查形成的存储桶计数是否等于12(我正在使用存储桶选择器聚合来检查)。

有没有办法排除DOC COUNT=0的存储桶,使存储桶COUNT=2而不是12

elasticsearch

1条答案

按热度按时间
qeeaahzv

qeeaahzv1#

通过在日期直方图聚合中使用管道聚合(即Bucket_selector聚合),我能够解决上面的用例。

修改后的查询为:

{
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "@timestamp": {
              "gte": "2022-09-22T10:16:00.000Z",
              "lte": "2022-09-22T10:22:00.000Z"
            }
          }
        },
        {
          "range": {
            "system.cpu.total.norm.pct": {
              "gte": 0.8
            }
          }
        }
      ]
    }
  },
  "aggs": {
    "hostName": {
      "terms": {
        "field": "host.name"
      },
      "aggs": {
        "docsOverTimeFrame": {
          "date_histogram": {
            "field": "@timestamp",
            "fixed_interval": "10s"
          },
          "aggs": {
            "histogram_doc_count": {
              "bucket_selector": {
                "buckets_path": {
                  "the_doc_count": "_count"
                },
                "script": "params.the_doc_count > 0"
              }
            }
          }
        },
        "min_bucket_selector": {
          "bucket_selector": {
            "buckets_path": {
              "count": "docsOverTimeFrame._bucket_count"
            },
            "script": {
              "source": "params.count == 12"
            }
          }
        }
      }
    }
  }
}
赞(0)分享  回复(0)举报  2022-10-06
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com