在 Kibana 中,如何对嵌套字段求和,然后对每个文档进行存储?
In Kibana how can you sum nested fields and then bucket for each document?
我们有多个嵌套字段需要求和然后绘制成图形,就好像它是父文档的值一样(使用脚本字段对我们来说不是一个理想的解决方案)。
给定示例索引映射:
{
"mapping": {
"_doc": {
"properties": {
"build_name": { "type": "keyword" },
"start_ms": { "type": "date" },
"projects": {
"type": "nested",
"properties": {
"project_duration_ms": { type": "long" },
"project_name": { "type": "keyword" }
}
}
}
}
}
}
示例doc._source:
{
"build_name": "example_build_1",
"start_ms": "1611252094540",
"projects": [
{ "project_duration_ms": "19381", project_name": "example_project_1" },
{ "project_duration_ms": "2081", "project_name": "example_project_2" }
]
},
{
"build_name": "example_build_2",
"start_ms": "1611252097638",
"projects": [
{ "project_duration_ms": "21546", project_name": "example_project_1" },
{ "project_duration_ms": "2354", "project_name": "example_project_2" }
]
}
获得类似这样的聚合是理想的:
....
"aggregations" : {
"builds" : {
"total_durations" : {
"buckets" : [
{
"key": "example_build_1",
"start_ms": "1611252094540",
"total_duration": "21462"
},
{
"key": "example_build_2",
"start_ms": "1611252097638",
"total_duration": "23900"
}
}
}
}
}
}
不需要脚本字段。这个 nested sum aggregation 应该可以解决问题:
{
"size": 0,
"aggs": {
"builds": {
"terms": {
"field": "build_name"
},
"aggs": {
"total_durations_parent": {
"nested": {
"path": "projects"
},
"aggs": {
"total_durations": {
"sum": {
"field": "projects.project_duration_ms"
}
}
}
}
}
}
}
}
您的用例非常适合使用 copy_to parameter,它将构建持续时间放入一个顶级长列表中,这样 nested 查询就不需要了我们正在总结它们。
像这样调整映射:
"properties": {
"build_name": { "type": "keyword" },
"start_ms": { "type": "date" },
"total_duration_ms": { "type": "long" }, <--
"projects": {
"type": "nested",
"properties": {
"project_duration_ms": {
"type": "long",
"copy_to": "total_duration_ms" <--
},
"project_name": { "type": "keyword" }
}
}
}
重新索引后(由于新添加的字段,这是必需的),上面的查询被简化为:
{
"size": 0,
"aggs": {
"builds": {
"terms": {
"field": "build_name"
},
"aggs": {
"total_durations": {
"sum": {
"field": "total_duration_ms"
}
}
}
}
}
}
我们有多个嵌套字段需要求和然后绘制成图形,就好像它是父文档的值一样(使用脚本字段对我们来说不是一个理想的解决方案)。
给定示例索引映射:
{
"mapping": {
"_doc": {
"properties": {
"build_name": { "type": "keyword" },
"start_ms": { "type": "date" },
"projects": {
"type": "nested",
"properties": {
"project_duration_ms": { type": "long" },
"project_name": { "type": "keyword" }
}
}
}
}
}
}
示例doc._source:
{
"build_name": "example_build_1",
"start_ms": "1611252094540",
"projects": [
{ "project_duration_ms": "19381", project_name": "example_project_1" },
{ "project_duration_ms": "2081", "project_name": "example_project_2" }
]
},
{
"build_name": "example_build_2",
"start_ms": "1611252097638",
"projects": [
{ "project_duration_ms": "21546", project_name": "example_project_1" },
{ "project_duration_ms": "2354", "project_name": "example_project_2" }
]
}
获得类似这样的聚合是理想的:
....
"aggregations" : {
"builds" : {
"total_durations" : {
"buckets" : [
{
"key": "example_build_1",
"start_ms": "1611252094540",
"total_duration": "21462"
},
{
"key": "example_build_2",
"start_ms": "1611252097638",
"total_duration": "23900"
}
}
}
}
}
}
不需要脚本字段。这个 nested sum aggregation 应该可以解决问题:
{
"size": 0,
"aggs": {
"builds": {
"terms": {
"field": "build_name"
},
"aggs": {
"total_durations_parent": {
"nested": {
"path": "projects"
},
"aggs": {
"total_durations": {
"sum": {
"field": "projects.project_duration_ms"
}
}
}
}
}
}
}
}
您的用例非常适合使用 copy_to parameter,它将构建持续时间放入一个顶级长列表中,这样 nested 查询就不需要了我们正在总结它们。
像这样调整映射:
"properties": {
"build_name": { "type": "keyword" },
"start_ms": { "type": "date" },
"total_duration_ms": { "type": "long" }, <--
"projects": {
"type": "nested",
"properties": {
"project_duration_ms": {
"type": "long",
"copy_to": "total_duration_ms" <--
},
"project_name": { "type": "keyword" }
}
}
}
重新索引后(由于新添加的字段,这是必需的),上面的查询被简化为:
{
"size": 0,
"aggs": {
"builds": {
"terms": {
"field": "build_name"
},
"aggs": {
"total_durations": {
"sum": {
"field": "total_duration_ms"
}
}
}
}
}
}