将多个单独的查询合并为一个以在Elasticsearch中获取聚合结果

问题描述 投票:0回答:1

我在ElasticSearch中构建了两个查询来获取每条错误消息的计数。例如,第一个查询是获取与“未找到”错误相关的错误消息数

GET /logstash*/_search
{
  "query": {
    "bool": {
      "filter": {
        "bool": {
          "must": [
            {
              "match": {
                "kubernetes.pod_name": "api"
              }
            },
            {
              "match": {
                "log": "error"
              }
            },
            {
              "match": {
                "log": {
                  "query": "was not found",
                  "operator": "and"

                }
              }
            },
            {
              "range": {"@timestamp": {
              "time_zone": "CET",
              "gt": "now-7d",
              "lte": "now"}}
          }
          ]
        }
      }
    }
  },

  "aggs" : {
        "type_count" : {
            "value_count" : {
                "script" : {
                    "source" : "doc['log.keyword'].value"
                }
            }
        }
    }
} 

第二个查询是获取与“重复条目”错误相关的错误消息计数

GET /logstash*/_search
{
  "query": {
    "bool": {
      "filter": {
        "bool": {
          "must": [
            {
              "match": {
                "kubernetes.pod_name": "api"
              }
            },
            {
              "match": {
                "log": "error"
              }
            },
            {
              "match": {
                "log": {
                  "query": "Duplicate entry",
                  "operator": "and"

                }
              }
            },
            {
              "range": {"@timestamp": {
              "time_zone": "CET",
              "gt": "now-7d",
              "lte": "now"}}
          }
          ]
        }
      }
    }
  },

  "aggs" : {
        "type_count" : {
            "value_count" : {
                "script" : {
                    "source" : "doc['log.keyword'].value"
                }
            }
        }
    }
}

我的老板真的希望我将这些单独的查询组合成一个大的查询,然后在一个输出中获取每个错误消息的计数列表。由于我们有很多错误消息,这意味着我们必须为每个错误消息编写每个查询,然后我们必须运行每个查询来获取计数。有没有办法点击一次运行来获取计数列表?

我一直在尝试使用查询字符串查询并在Stack Overflow和Documentation上查找解决方案。但是,没有运气

elasticsearch
1个回答
1
投票

您可以使用filter aggregationvalue_count聚合来组合这两个查询。在两个查询中,在must子句中的4个查询中只有一个不同。您可以将其与两个过滤器聚合组合,如下所示:

{
  "query": {
    "bool": {
      "filter": {
        "bool": {
          "must": [
            {
              "match": {
                "kubernetes.pod_name": "api"
              }
            },
            {
              "match": {
                "log": "error"
              }
            },
            {
              "range": {
                "@timestamp": {
                  "time_zone": "CET",
                  "gt": "now-7d",
                  "lte": "now"
                }
              }
            }
          ]
        }
      }
    }
  },
  "aggs": {
    "not_found_count": {
      "filter": {
        "match": {
          "log": {
            "query": "was not found",
            "operator": "and"
          }
        }
      },
      "aggs": {
        "count": {
          "value_count": {
            "script": {
              "source": "doc['log.keyword'].value"
            }
          }
        }
      }
    },
    "duplicate_entry_count": {
      "filter": {
        "match": {
          "log": {
            "query": "Duplicate entry",
            "operator": "and"
          }
        }
      },
      "aggs": {
        "count": {
          "value_count": {
            "script": {
              "source": "doc['log.keyword'].value"
            }
          }
        }
      }
    }
  }
}
© www.soinside.com 2019 - 2024. All rights reserved.