嗨,我是弹性搜索的新手。 我正在对弹性搜索运行以下查询/休息请求。我正在尝试获得一年的直方图。然而,结果返回的是自1970年以来的数据,而不是去年到今年的数据。
curl -X GET "10.10.9.1:9200/mep-reports*/_search?pretty&size=0" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"must": [
{ "range": { "@timestamp": {"gte": "now-1y/y" , "lt": "now"}}}
]
}
},
"aggs" : {
"sales_over_time" : {
"date_histogram" : {
"field" : "submission_ts",
"interval" : "day",
"format": "yyyy-MM-dd hh:mm:ss"
}
}
}
}'
以下是我收到的回复。 如果您检查key_as_string,您可以看到它从 1970 年开始。 我的问题是为什么它忽略了指定的范围( { "range": { "@timestamp": {"gte": "now-1y/y" , "lt": "now"}}})
{
"took" : 22,
"timed_out" : false,
"_shards" : {
"total" : 12,
"successful" : 12,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 1073013,
"max_score" : 0.0,
"hits" : [ ]
},
"aggregations" : {
"sales_over_time" : {
"buckets" : [
{
"key_as_string" : "1970-01-19 12:00:00",
"key" : 1555200000,
"doc_count" : 1016510
},
{
"key_as_string" : "1970-01-20 12:00:00",
"key" : 1641600000,
"doc_count" : 0
},
{
"key_as_string" : "1970-01-21 12:00:00",
"key" : 1728000000,
"doc_count" : 0
},
{
"key_as_string" : "1970-01-22 12:00:00",
"key" : 1814400000,
"doc_count" : 0
},
{
"key_as_string" : "1970-01-23 12:00:00",
"key" : 1900800000,
"doc_count" : 0
},
{
"key_as_string" : "1970-01-24 12:00:00",
"key" : 1987200000,
"doc_count" : 0
},
{
"key_as_string" : "1970-01-25 12:00:00",
"key" : 2073600000,
"doc_count" : 0
},
}
您的查询位于@timestamp字段上,但聚合位于submission_ts上。
如果希望date_histogram聚合受查询约束,则需要在查询和聚合中使用相同的字段。
curl -X GET "10.10.9.1:9200/mep-reports*/_search?pretty&size=0" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"must": [
{ "range": { "submission_ts": {"gte": "now-1y/y" , "lt": "now"}}}
]
}
},
"aggs" : {
"sales_over_time" : {
"date_histogram" : {
"field" : "submission_ts",
"interval" : "day",
"format": "yyyy-MM-dd hh:mm:ss"
}
}
}
}'