在实际开发当中,有的时候不仅仅是单一条件进行分组聚合,也有一部分的情况为多条件的聚合。百度了一下,说什么聚合脚本,说什么copy_to 反正我是没搞懂。。。。最后看了一下官网有个桶的聚合,就是这个链接:elasticsearch composite 按照这个思路,试了一下,满足需求。。不明白那么多的百度人都不试一下 ,去复制别人不能用的文章。。。。。。
我创建了一个eventlog索引,里面有eventcategory,eventcategorytechnique,deviceaddress,eventname等字段。我需要查询eventcategory和eventcategorytechnique两个字段分组下的数量统计。 DSL如下:
GET /eventlog/_search { "size":0, "query":{ "match_all":{ } }, "aggs":{ "my_buckets":{ "composite":{ "sources":[ { "eventcategory":{ "terms":{ "field":"eventcategory.keyword" } } }, { "eventcategorytechnique":{ "terms":{ "field":"eventcategorytechnique.keyword" } } } ] } }, "deviceaddress":{ "terms":{ "field":"deviceaddress.keyword" } }, "eventname":{ "terms":{ "field":"eventname.keyword" } } } }结果如下:
{ "took" : 10, "timed_out" : false, "_shards" : { "total" : 5, "successful" : 5, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : 180047, "max_score" : 0.0, "hits" : [ ] }, "aggregations" : { "my_buckets" : { "after_key" : { "eventcategory" : "Others", "eventcategorytechnique" : "Others" }, "buckets" : [ { "key" : { "eventcategory" : "Access", "eventcategorytechnique" : "Connection_Closed" }, "doc_count" : 32448 }, { "key" : { "eventcategory" : "Access", "eventcategorytechnique" : "MISC" }, "doc_count" : 1749 }, { "key" : { "eventcategory" : "Access", "eventcategorytechnique" : "Session_Closed" }, "doc_count" : 24263 }, { "key" : { "eventcategory" : "Access", "eventcategorytechnique" : "Session_Opened" }, "doc_count" : 41822 }, { "key" : { "eventcategory" : "Access", "eventcategorytechnique" : "Session_closed" }, "doc_count" : 16248 }, { "key" : { "eventcategory" : "Access", "eventcategorytechnique" : "Session_opened" }, "doc_count" : 16253 }, { "key" : { "eventcategory" : "Application", "eventcategorytechnique" : "Mail_Sent" }, "doc_count" : 1551 }, { "key" : { "eventcategory" : "Authentication", "eventcategorytechnique" : "Login" }, "doc_count" : 8035 }, { "key" : { "eventcategory" : "Authentication", "eventcategorytechnique" : "Login_Succeeded" }, "doc_count" : 16242 }, { "key" : { "eventcategory" : "Others", "eventcategorytechnique" : "Others" }, "doc_count" : 2025 } ] }, "deviceaddress" : { "doc_count_error_upper_bound" : 0, "sum_other_doc_count" : 0, "buckets" : [ { "key" : "10.20.4.161", "doc_count" : 180047 } ] }, "eventname" : { "doc_count_error_upper_bound" : 0, "sum_other_doc_count" : 17383, "buckets" : [ { "key" : "sshd session", "doc_count" : 32501 }, { "key" : "session opened", "doc_count" : 17550 }, { "key" : "new session", "doc_count" : 16255 }, { "key" : "Removed session", "doc_count" : 16246 }, { "key" : "Login successful (Accepted password)", "doc_count" : 16242 }, { "key" : "disconnection", "doc_count" : 16226 }, { "key" : "Closed request", "doc_count" : 16222 }, { "key" : "Pam session status", "doc_count" : 16034 }, { "key" : "sudo Command Executed", "doc_count" : 8035 }, { "key" : "kernel marked event", "doc_count" : 7353 } ] } } }希望能够帮助茫茫百度的一批人。。。。。。
