Aggregations
格式如下:
"aggregations"{ //可以简写为aggs
"<aggregation_name>":{ //名称
"<aggregation_type>":{ //agg 类型
<aggregation_body> //统计字段...
},
[,"aggregations":{ [ <sub_aggregation>]+ } ]?
}
[ , "<aggregation_name_2>" : { … } ]*
}
以下所有测试数据均来自iis日志
最值、求和、均值统计
1.最小值统计
{
"query": {
"match_all": {}
},
"aggs": {
"min_size": {
"min": { 统计最小值
"field": "time-taken" 取字段 time-taken 最小值
}
}
}
}
最大、求和、求平均统计只需要在类型上写max、sum、avg
Stats、extended_stats
Stats 是多值统计,返回值包括最大值、最小值、求和、计数、均值等
{
"query": {
"match_all": {}
},
"aggs": {
"multi_stats": {
"stats": {
"field": "time-taken"
}
}
}
}
extended_stats 可以在上述输出结果上添加平方和、方差、标准差等测度。
Terms 用于对指定字段的内容进行分布统计,
{
"query": {
"match_all": {}
},
"aggs": {
"terms_sc-status": {
"terms": {
"field": "sc-status",
"order": {
"_term": "desc"
}
}
}
},
"size": 20
}
嵌套查询,获取每个状态下的最大、最小、平均值
{
"query": {
"match_all": {}
},
"aggs": {
"terms_sc-status": {
"terms": {
"field": "sc-status",
"order": {
"_term": "desc"
}
},
"aggs": {
"avg_size": {
"stats": {
"field": "time-taken"
}
}
}
}
},
"size": 20
}
包含和不包含
{
"query": {
"match_all": {}
},
"aggs": {
"terms_sc-status": {
"terms": {
"field": "cs-method",
"order": {
"_term": "desc"
},
"include": "g.*", 包含,匹配所有字符用 .*
"exclude": "p.*" 不包含
},
"aggs": {
"avg_size": {
"stats": {
"field": "time-taken"
}
}
}
}
},
"size": 20
}
Cardinality 获取某个字段去重后的数量
{
"query": {
"match_all": {}
},
"aggs": {
"aggname": {
"cardinality": {
"field": "sc-status"
}
},
"aggname1": {
"terms": {
"field": "sc-status"
}
}
},
"size": 20
}
