如何在 elasticsearch 的日期直方图中获取最后 24 小时的所有桶

Question

我正在使用最小间隔为每小时的日期直方图来获取最近 24 小时的结果并得到下面的图表。 (v 为 7.4)

请求是，

GET access*/_search?pretty=true
{
  "aggs": {
    "2": {
      "date_histogram": {
        "field": "@timestamp",
        "calendar_interval": "1h",
        "time_zone": "Asia/Calcutta",
        "min_doc_count": 0,
        "format": "k"
      }
    }
  },
  "size": 0,
  "_source": {
    "excludes": []
  },
  "stored_fields": [
    "*"
  ],
  "docvalue_fields": [
    {
      "field": "@timestamp",
      "format": "date_time"
    }
  ],
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "match_all": {}
        },
        {
          "match_phrase": {
            "Request_URI": {
              "query": "\"/isp/v1/*\""
            }
          }
        },
        {
          "range": {
            "@timestamp": {
              "format": "strict_date_optional_time",
              "gte": "now-24h",
              "lte": "now"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

在卷曲响应中，我低于

"buckets" : [
        {
          "key_as_string" : "9",
          "key" : 1627270200000,
          "doc_count" : 44
        },
        {
          "key_as_string" : "10",
          "key" : 1627273800000,
          "doc_count" : 51
        },
        {
          "key_as_string" : "11",
          "key" : 1627277400000,
          "doc_count" : 0
        },
        {
          "key_as_string" : "12",
          "key" : 1627281000000,
          "doc_count" : 0
        },
        {
          "key_as_string" : "13",
          "key" : 1627284600000,
          "doc_count" : 0
        },
        {
          "key_as_string" : "14",
          "key" : 1627288200000,
          "doc_count" : 3
        },
        {
          "key_as_string" : "15",
          "key" : 1627291800000,
          "doc_count" : 16
        },
        {
          "key_as_string" : "16",
          "key" : 1627295400000,
          "doc_count" : 57
        }

虽然在过去的 24 小时内，数据首先在上午 9 点开始，但如果我使用现在 24 小时，为什么它没有在上午 9 点之前返回所有桶。即它没有显示所有最后 24 个桶。我怎样才能得到它？

谢谢，

Answer 1

您需要使用 extended_bounds 以确保获得第一个不包含文档的存储桶：

  "date_histogram": {
    "field": "@timestamp",
    "calendar_interval": "1h",
    "time_zone": "Asia/Calcutta",
    "min_doc_count": 0,
    "format": "k",
    "extended_bounds": {
      "min": "now-24h",
      "max": "now"
    }
  }

如何在 elasticsearch 的日期直方图中获取最后 24 小时的所有桶

How to get all buckets of last 24hrs in date histogram in elasticsearch

elasticsearch

kibana

date-histogram