Elasticsearch 查询 - 每个用户的最新日志,字段 logtype='x'
Elasticsearch query - Most recent log for each user, for field logtype='x'
我正在尝试查询 elasticsearch 以获取所有用户 ID 的最新日志,其中我们只为每个用户包含一个日志,字段为 logtype='x'
if logtype='x' 然后为每个用户 ID 获取 1 个日志,其中此日志的日期是每个用户 ID 的最新日期
示例日志:{"logtype"="x", "number":232423, "userID":123, "time":"2021-02-03T20:25:44.603045+05:30"}
如何创建此查询?
假设您的索引映射如下所示:
{
"properties" : {
"logtype" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"number" : {
"type" : "long"
},
"time" : {
"type" : "date"
},
"userID" : {
"type" : "long"
}
}
}
您将需要这些聚合:terms ordered by the result of a max, plus a top_hits 以获取每个用户 ID 的最新日志:
POST logs/_search
{
"size": 0,
"query": {
"match": {
"logtype": "x"
}
},
"aggs": {
"by_user_id": {
"terms": {
"field": "userID",
"size": 1,
"order": {
"latest_date": "desc"
}
},
"aggs": {
"latest_date": {
"max": {
"field": "time"
}
},
"latest_log": {
"top_hits": {
"size": 1,
"sort": [
{
"time": {
"order": "desc"
}
}
]
}
}
}
}
}
}
我正在尝试查询 elasticsearch 以获取所有用户 ID 的最新日志,其中我们只为每个用户包含一个日志,字段为 logtype='x'
if logtype='x' 然后为每个用户 ID 获取 1 个日志,其中此日志的日期是每个用户 ID 的最新日期
示例日志:{"logtype"="x", "number":232423, "userID":123, "time":"2021-02-03T20:25:44.603045+05:30"}
如何创建此查询?
假设您的索引映射如下所示:
{
"properties" : {
"logtype" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"number" : {
"type" : "long"
},
"time" : {
"type" : "date"
},
"userID" : {
"type" : "long"
}
}
}
您将需要这些聚合:terms ordered by the result of a max, plus a top_hits 以获取每个用户 ID 的最新日志:
POST logs/_search
{
"size": 0,
"query": {
"match": {
"logtype": "x"
}
},
"aggs": {
"by_user_id": {
"terms": {
"field": "userID",
"size": 1,
"order": {
"latest_date": "desc"
}
},
"aggs": {
"latest_date": {
"max": {
"field": "time"
}
},
"latest_log": {
"top_hits": {
"size": 1,
"sort": [
{
"time": {
"order": "desc"
}
}
]
}
}
}
}
}
}