我有一个包含这样的文档的elasticsearch(v。5.2.0)索引:
{
"_index": "test-index-2017.03.15",
"_type": "logevent",
"_id": "AVrSIU-U8za2OFJzSCwQ",
"_score": null,
"_source": {
"@timestamp": "2017-03-15T14:21:21.9636228+01:00",
"level": "Information",
"messageTemplate": "HeartbeatEntry {@Data}",
"message": "HeartbeatEntry HeartbeatEntry { ServiceName: "Service A", HeartbeatValue: 1 }",
"fields": {
"Data": {
"_typeTag": "HeartbeatEntry",
"ServiceName": "Service A",
"HeartbeatValue": 1
},
"MachineName": "DevServer01"
}
},
"sort": [
1489584081963
]
}
我想获得由" MachineName"分组的所有'ServiceName'值。如果这是在SQL世界中,我会做诸如SELECT ServiceName, MachineName FROM test-index-2017.03.15 GROUP BY MachineName
我很早就卡住了,因为我什至无法获得简单的聚合工作。目前我得到了这个:
GET /test-index-2017.03.15/_search
{
"size": 0,
"aggs" : {
"by_machinename" : {
"terms" : {
"field" : "MachineName"
}
}
}
}
产生零结果。
您是否尝试过field: fields.MachineName?
在圆顶挖掘并在Paqash的评论的帮助下,这是一个技巧:
GET /test-index-2017.03.15/_search
{
"size": 0,
"aggs" : {
"by_machinename" : {
"terms" : {
"field" : "fields.MachineName.keyword"
},
"aggs" : {
"by_servicename" : {
"terms" : {
"field" : "fields.Data.ServiceName.keyword"
}
}
}
}
}
}