1.以下操作es5.+和7.+都能使用
1).根据字段http_host 和 字段http_path分组
filters = { "size": 5, "from": 0, "sort": [ { "@timestamp": { "order": "desc" } } ], "query": { "bool": { "filter": [ { "query_string": { "query": "http_path:/video/BV1cq4y1R7y1 AND http_host:www.bilibili.com", # "query":"*" , } }, { "range": { "@timestamp": { "gte": begin_time * 1000, "lte": end_time * 1000, "format": "epoch_millis" } } } ], "must_not": [] } }, # "aggs": { # "aggs_1": { # "terms": { # # "field": "http_host", # "script": "doc['http_host'].value +'#split#'+ doc['http_path'].value", # "size": 50000, # # "order": { # # "_count": "desc" # # }, # } # } # } }
2)根据字段http_host字段分组
filters = { "size": 5, "from": 0, "sort": [ { "@timestamp": { "order": "desc" } } ], "query": { "bool": { "filter": [ { "query_string": { "query": "http_path:/video/BV1cq4y1R7y1 AND http_host:www.bilibili.com", # "query":"*" , } }, { "range": { "@timestamp": { "gte": begin_time * 1000, "lte": end_time * 1000, "format": "epoch_millis" } } } ], "must_not": [] } }, # "aggs": { # "aggs_1": { # "terms": { # # "field": "http_host", # "field": "http_host", # "size": 50000, # # "order": { # # "_count": "desc" # # }, # } # } # } }
注意无论怎么聚合最终聚合结果都是嵌套在原始数据中,关键字aggregations下