Kibana 查询 - 使用术语聚合计数,单个存储桶中的范围

Kibana query - aggregate counts using terms, range in single bucket

我在 Kibana 中搜索具有管道执行元数据的索引模式中的查询,其中包括 pipelineid、dev grief count 等 我想将结果分成一桶管道 ID,总执行次数和执行次数为 dev_grief > 0

我的查询-

GET pipeline-execution/_search
{
  "size": 0,
  "aggs": {
    "Terms_Aggregation": {
      "terms": {
        "field": "PipelineId",
        "size": 1000
      }
    }
  }
}

上面的查询是根据术语聚合按管道 ID 提供总执行次数,但我想要 GriefToDeveloper 值大于 0 的执行次数。

因此,我使用范围添加了一个过滤器 -

GET pipeline-execution/_search
{
  "size": 0,
  "aggs": {
    "DeveloperGriefCount": {
      "filter": {
        "range": {
          "GriefToDeveloper": {
            "gte": 1
          }
        }
      },
      "aggs": {
        "Pipeline": {
          "terms": {
            "field": "PipelineId",
            "size": 1000
          }
        }
      }
    }
  }
}

现在,这行得通了,但是如您所见,没有总执行次数 -

我想合并这两个查询,只检索一个元素类似于 -

的桶
{
   "buckets": [
      {
         "key": "pipeline_id_3",
         "doc_count": 10789,
         "grief_count": 950
      },
      {
         "key": "pipeline_id_4",
         "doc_count": 7666,
         "grief_count": 25
      }
   ]
}

更新 1 - 示例文档 -

{
    "_index": "pipeline-execution",
    "_type": "_doc",
    "_id": "FUM_MHkBjRE1lX_78952a",
    "_score": 1,
    "_source": {
        "CreatedOn": "2021-05-03T03:22:41.715000",
        "PipelineId": "pipeline_id_1",
        "ExecIdentifier": "147895632145",
        "Source": 45,
        "Good": 40,
        "PayloadHashValue": "95d59a7c80ebc4974f11995c4f4004ef",
        "GriefToDeveloper": 5
    }
}

索引Map/Template-

{
    "CreatedOn": {
        "type": "date"
    },
    "PipelineId": {
        "type": "keyword"
    },
    "ExecIdentifier": {
        "type": "keyword"
    },
    "Source": {
        "type": "integer"
    },
    "Good": {
        "type": "integer"
    },
    "PayloadHashValue": {
        "type": "text"
    },
    "GriefToDeveloper": {
        "type": "integer"
    }
}

**更新 2 - ** 这是我想看到的查询 -

GET pipeline-execution/_search
{
  "size": 0,
  "aggs": {
    "Pipelines": {
      "terms": {
        "field": "PipelineId",
        "size": 1000
      },
      "aggs": {
        "total_exec": {
          "value_count": {
            "field": "PipelineId"
          }
        },
        "dev_grief": {
            "value_count": {
            "field": "PipelineId"
          }
        },
        "Grief%": {
          "bucket_script": {
            "buckets_path": {
              "TotalExecutions": "total_exec",
              "DeveloperGrief": "dev_grief"
            },
            "script": "(params.TotalExecutions/params.DeveloperGrief)*100"
          }
        }
      }
    }
  }
}

回复:

"Pipelines": {
   "doc_count_error_upper_bound": 0,
   "sum_other_doc_count": 0,
   "buckets": [
      {
         "key": "pipeline_id_1",
         "doc_count": 2,
         "total_exec": {
            "value": 2
         },
         "dev_grief": {
            "value": 1
         },
         "Grief%": {
            "value": 50
         }
      }
   ]
}

非常感谢任何帮助。

谢谢

你的想法是正确的。您需要使过滤器聚合成为术语的子聚合,而不是其他方式

查询

{
  "size": 0,
  "aggs": {
    "pipelines": {
      "terms": {
        "field": "PipelineId",
        "size": 10
      },
      "aggs": {
        "grief_count": {
          "filter": {
            "range": {
              "GriefToDeveloper": {
                "gte": 1
              }
            }
          }
        }
      }
    }
  }
}

结果

"pipelines" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "pipeline_id_1",
          "doc_count" : 2,
          "grief_count" : {
            "doc_count" : 1
          }
        }
      ]
    }

更新

{
  "size": 0,
  "aggs": {
    "Pipelines": {
      "terms": {
        "field": "PipelineId",
        "size": 1000
      },
      "aggs": {
        "total_exec": {
          "value_count": {
            "field": "PipelineId"
          }
        },
        "grief_count": {
          "filter": {
            "range": {
              "GriefToDeveloper": {
                "gte": 1
              }
            }
          },
          "aggs": {
            "dev_grief": {
              "value_count": {
                "field": "PipelineId"
              }
            }
          }
        },
        "Grief%": {
          "bucket_script": {
            "buckets_path": {
              "TotalExecutions": "total_exec",
              "DeveloperGrief": "grief_count>dev_grief"
            },
            "script": "(params.TotalExecutions/params.DeveloperGrief)*100"
          }
        }
      }
    }
  }
}

更新查询的结果 -

"Pipelines" : {
   "doc_count_error_upper_bound": 0,
   "sum_other_doc_count": 0,
   "buckets": [
      {
         "key": "pipeline_id_1",
         "doc_count": 1315291,
         "grief_count": {
            "doc_count": 4447,
            "dev_grief": {
               "value": 4447
            }
         },
         "total_exec": {
            "value": 1315291
         },
         "Grief%": {
            "value": 0.33810008
         }
      }
   ]
}