Elasticsearch：在聚合中选择多个值

Question

在 Elastic Search 中，我有以下索引，其中包含“allocated_bytes”、“total_bytes”和其他字段：

{
  "_index" : "metrics-blockstore_capacity-2017_06",
  "_type" : "datapoint",
  "_id" : "AVzHwgsi9KuwEU6jCXy5",
  "_score" : 1.0,
  "_source" : {
    "timestamp" : 1498000001000,
    "resource_guid" : "2185d15c-5298-44ac-8646-37575490125d",
    "allocated_bytes" : 1.159196672E9,
    "resource_type" : "machine",
    "total_bytes" : 1.460811776E11,
    "machine" : "2185d15c-5298-44ac-8646-37575490125d"
  }

我有以下查询 1）使用日期直方图获得 30 分钟间隔的点 2）按resource_guid上的字段分组。 3) 最大聚合找到最大值。

{
  "size": 0,
  "query": {
    "bool": {
  "must": [
    {
      "range": {
        "timestamp": {
          "gte": 1497992400000,
          "lte": 1497996000000
        }
      }
    }
  ]
}
},
"aggregations": {
"groupByTime": {
  "date_histogram": {
    "field": "timestamp",
    "interval": "30m",
    "order": {
      "_key": "desc"
    }
  },
  "aggregations": {
    "groupByField": {
      "terms": {
        "size": 1000,
        "field": "resource_guid"
      },
      "aggregations": {
        "maxValue": {
          "max": {
            "field": "allocated_bytes"
          }
         }
      }
    },
    "sumUnique": {
      "sum_bucket": {
        "buckets_path": "groupByField>maxValue"
      }
    }
  }
}

} }

但是通过这个查询，我只能获得allocated_bytes，但我需要在结果点同时拥有allocated_bytes 和total_bytes。

以下是上述查询的结果：

{
    "key_as_string" : "2017-06-20T21:00:00.000Z",
    "key" : 1497992400000,
    "doc_count" : 9,
    "groupByField" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [ {
        "key" : "2185d15c-5298-44ac-8646-37575490125d",
        "doc_count" : 3,
        "maxValue" : {
          "value" : 1.156182016E9
        }
      }, {
        "key" : "c3513cdd-58bb-4f8e-9b4c-467230b4f6e2",
        "doc_count" : 3,
        "maxValue" : {
          "value" : 1.156165632E9
        }
      }, {
        "key" : "eff13403-9737-4d08-9dca-fb6c12c3a6fa",
        "doc_count" : 3,
        "maxValue" : {
          "value" : 1.156182016E9
        }
      } ]
    },
    "sumUnique" : {
      "value" : 3.468529664E9
    }
  }

我确实需要allocated_bytes 和total_bytes。如何获取每个点的多个字段（已分配字节数、总字节数）？

例如：

"sumUnique" : {
      "Allocatedvalue" : 3.468529664E9,
      "TotalValue" : 9.468529664E9
    }

或者像这样：

"allocatedBytessumUnique" : {
      "value" : 3.468529664E9
    }
"totalBytessumUnique" : {
      "value" : 9.468529664E9
    },

Answer 1

您可以添加另一个聚合：

{
  "size": 0,
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "timestamp": {
              "gte": 1497992400000,
              "lte": 1497996000000
            }
          }
        }
      ]
    }
  },
  "aggregations": {
    "groupByTime": {
      "date_histogram": {
        "field": "timestamp",
        "interval": "30m",
        "order": {
          "_key": "desc"
        }
      },
      "aggregations": {
        "groupByField": {
          "terms": {
            "size": 1000,
            "field": "resource_guid"
          },
          "aggregations": {
            "maxValueAllocated": {
              "max": {
                "field": "allocated_bytes"
              }
            },
            "maxValueTotal": {
              "max": {
                "field": "total_bytes"
              }
            }
          }
        },
        "sumUniqueAllocatedBytes": {
          "sum_bucket": {
            "buckets_path": "groupByField>maxValueAllocated"
          }
        },
        "sumUniqueTotalBytes": {
          "sum_bucket": {
            "buckets_path": "groupByField>maxValueTotal"
          }
        }
      }
    }
  }
}

我希望你知道sum_bucket 只计算兄弟聚合，在这种情况下给出最大值的总和，而不是总字节的总和。如果你想得到 total_bytes 的总和，你可以使用sum aggregation