将单个键的多个值聚合到单个存储桶中弹性搜索答案

【问题标题】：Aggregating multiple values of single key into a single bucket elasticsearch将单个键的多个值聚合到单个存储桶中弹性搜索
【发布时间】：2021-01-14 08:14:06
【问题描述】：

我有一个带有以下映射的弹性搜索索引

 {
  "probe_alert" : {
    "mappings" : {
      "alert" : {
        "properties" : {
          "id" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "probeChannelId" : {
            "type" : "long"
          },
          "severity" : {
            "type" : "integer"
          },
        }
      }
    }
  }
}

样本索引数据：对于每个通道索引都有一个严重性值

[
      {
        "_index" : "probe_alert",
        "_type" : "alert",
        "_id" : "b_cu0nYB8EMvknGcmMxk",
        "_score" : 0.0,
        "_source" : {
          "id" : "b_cu0nYB8EMvknGcmMxk",
          "probeChannelId" : 15,
          "severity" : 2,
        }
      },
      {
        "_index" : "probe_alert",
        "_type" : "alert",
        "_id" : "b_cu0nYB8EMvknGcmMxk",
        "_score" : 0.0,
        "_source" : {
          "id" : "b_cu0nYB8EMvknGcmMxk",
          "probeChannelId" : 17,
          "severity" : 5,
        }
      },
      {
        "_index" : "probe_alert",
        "_type" : "alert",
        "_id" : "b_cu0nYB8EMvknGcmMxk",
        "_score" : 0.0,
        "_source" : {
          "id" : "b_cu0nYB8EMvknGcmMxk",
          "probeChannelId" : 18,
          "severity" : 10,
        }
      },
      {
        "_index" : "probe_alert",
        "_type" : "alert",
        "_id" : "b_cu0nYB8EMvknGcmMxk",
        "_score" : 0.0,
        "_source" : {
          "id" : "b_cu0nYB8EMvknGcmMxk",
          "probeChannelId" : 19,
          "severity" : 5,
        }
      },
      {
        "_index" : "probe_alert",
        "_type" : "alert",
        "_id" : "b_cu0nYB8EMvknGcmMxk",
        "_score" : 0.0,
        "_source" : {
          "id" : "b_cu0nYB8EMvknGcmMxk",
          "probeChannelId" :20,
          "severity" : 10,
        }
      }
    ]

我已经为获取单个 probeChannelId 的最大严重性值进行了术语聚合，但现在我想聚合多个 probeChannelId 值并获得最大严重性值。预期结果：

"aggregations" : {
    "aggs_by_channels" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : [15,17],
          "doc_count" : 1,
          "aggs_by_severity" : {
            "value" : 5.0
          }
        },
        {
          "key" : [18,19,20],
          "doc_count" : 1,
          "aggs_by_severity" : {
            "value" : 10.0
          }
        }
      ]
    }
  }

作为回应，我希望值组 probeChannelId 具有最高严重性值

【问题讨论】：

能否分享一些示例索引数据和预期的搜索结果？
@ESCoder 我已添加示例数据和预期响应
我也检查了 Adjacency matrix aggregation ，但它聚合的是跨组而不是单个组的数据。

标签： elasticsearch elasticsearch-aggregation

【解决方案1】：

如果您想在一组文档中获得最高严重性值，那么您可以使用Adjacency matrix aggregation 尝试以下查询

搜索查询：

{
  "size": 0,
  "aggs": {
    "interactions": {
      "adjacency_matrix": {
        "filters": {
          "[15,17]": {
            "terms": {
              "probeChannelId": [
                15,
                17
              ]
            }
          },
          "[18,19,20]": {
            "terms": {
              "probeChannelId": [
                18,
                19,
                20
              ]
            }
          }
        }
      },
      "aggs": {
        "max_severity": {
          "max": {
            "field": "severity"
          }
        }
      }
    }
  }
}

搜索结果：

"aggregations": {
    "interactions": {
      "buckets": [
        {
          "key": "[15,17]",
          "doc_count": 2,
          "max_severity": {
            "value": 5.0           // note this
          }
        },
        {
          "key": "[18,19,20]",
          "doc_count": 3,
          "max_severity": {
            "value": 10.0        // note this
          }
        }
      ]
    }

【讨论】：

谢谢，了解邻接矩阵聚合的工作原理。 @ECoder