试试搜索一下吧

写数据查询表达式的问题

Kibana | 作者 sailershen | 发布于2019年07月18日 | 阅读数:2242
分享到:QQ空间新浪微博微信QQ好友印象笔记有道云笔记
情境:每个客户端都有自己的号码,客户端大约每3分钟发送一次心跳到服务器。每次心跳都会发送日志到ELK,字段包括ouyu-number(客户号码,6位数字)、reg_time(发送心跳的时间,时间格式是2019-07-18 13:59:08这样)。
要求:统计最近24小时至最近4小时发送过心跳,但是最近4小时以内没有发送心跳的号码。
不知道Discover的Filter里是否可以写这样的语句。
我自己在Dev Tools的Console里想写类似的语句:
GET /_search

{

    "query": {

        "query_string" : {

            "default_field": "ouyu-number",

            "query":{"@timestamp":"now-4h" TO "now"}

        }

    }

}
不知道应该怎么写。
2019-07-18 添加评论

没有找到相关结果

    已邀请:

    bellengao - 博客: https://www.jianshu.com/u/e0088e3e2127

    赞同来自: sailershen

    {
    "size":0,
      "aggs": {
        "number": {
          "filter": {
            "range": {
              "time": {
                "gte":"now-24h/h",
                "lt":"now-4h/h"
                
              }
            }
          },
          "aggs": {
            "x": {
              "terms": {
                "field": "ouyu-number"
              }
            }
          }
        }
      }
    }
    2019-07-21 1 1
    分享

    sailershen

    赞同来自:

    这个索引的mapping:
    {
    
  "mapping": {
    
    "properties": {
    
      "@timestamp": {
    
        "type": "date"
    
      },
    
      "@version": {
    
        "type": "text",
    
        "fields": {
    
          "keyword": {
    
            "type": "keyword",
    
            "ignore_above": 256
    
          }
    
        }
    
      },
    
      "message": {
    
        "type": "text",
    
        "fields": {
    
          "keyword": {
    
            "type": "keyword",
    
            "ignore_above": 256
    
          }
    
        }
    
      },
    
      "ouyu-number": {
    
        "type": "text",
    
        "fields": {
    
          "keyword": {
    
            "type": "keyword",
    
            "ignore_above": 256
    
          }
    
        }
    
      },
    
      "ouyu-version": {
    
        "type": "text",
    
        "fields": {
    
          "keyword": {
    
            "type": "keyword",
    
            "ignore_above": 256
    
          }
    
        }
    
      },
    
      "platform": {
    
        "type": "text",
    
        "fields": {
    
          "keyword": {
    
            "type": "keyword",
    
            "ignore_above": 256
    
          }
    
        }
    
      },
    
      "reg_time": {
    
        "type": "date",
    
        "fields": {
    
          "keyword": {
    
            "type": "keyword",
    
            "ignore_above": 256
    
          }
    
        },
    
        "format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis"
    
      },
    
      "register-ip": {
    
        "type": "ip",
    
        "fields": {
    
          "keyword": {
    
            "type": "keyword",
    
            "ignore_above": 256
    
          }
    
        }
    
      },
    
      "tags": {
    
        "type": "text",
    
        "fields": {
    
          "keyword": {
    
            "type": "keyword",
    
            "ignore_above": 256
    
          }
    
        }
    
      }
    
    }
    
  }
    
}

    根据您的提示我这样写语句:
    GET /bj-sip_register/_search
    
{
    
  "size":0,
    
  "aggs": {
    
    "number": {
    
      "filter": {
    
        "range": {
    
          "@timestamp": {
    
            "gte":"now-24h/h",
    
            "lt":"now-4h/h"
    
          }
    
        }
    
      },
    
      "aggs": {
    
        "x": {
    
          "terms": {
    
            "field": "ouyu-number"
    
          }
    
        }
    
      }
    
    }
    
  }
    
}

    错误提示:
    {
    
  "error": {
    
    "root_cause": [
    
      {
    
        "type": "illegal_argument_exception",
    
        "reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [ouyu-number] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
    
      }
    
    ],
    
    "type": "search_phase_execution_exception",
    
    "reason": "all shards failed",
    
    "phase": "query",
    
    "grouped": true,
    
    "failed_shards": [
    
      {
    
        "shard": 0,
    
        "index": "bj-sip_register",
    
        "node": "Z7tobMU1RgSwndaSKhdJww",
    
        "reason": {
    
          "type": "illegal_argument_exception",
    
          "reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [ouyu-number] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
    
        }
    
      }
    
    ],
    
    "caused_by": {
    
      "type": "illegal_argument_exception",
    
      "reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [ouyu-number] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.",
    
      "caused_by": {
    
        "type": "illegal_argument_exception",
    
        "reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [ouyu-number] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."
    
      }
    
    }
    
  },
    
  "status": 400
    
}
    2019-07-21 0 2
    分享
    为什么被折叠? 0 个回复被折叠

    要回复问题请先登录注册

    Copyright © 2024 · CC BY-NC-SA 3.0

    本站服务器及带宽由 提供赞助