#date_histogram查询并按天天分组聚合nginx
GET /logstash-jsy/nginx-access/_search
{
"query": {
"query_string": {
"default_field": "geoip.country_name",
"query": "China"
}
},
"size": 0,
"aggs": {
"time_unit": {
"date_histogram": {
"field": "@timestamp",
"interval": "day",
"format": "yyyy-MM-dd",
"time_zone": "+08:00"
},
"aggs": {
"sum_resBytes": {
"sum": {
"field": "res_Bytes"
}
}
}
}
}
}app
结果:url
{
"key_as_string": "2017-06-21",
"key": 1497974400000,
"doc_count": 977,
"sum_resBytes": {
"value": 35940680
}
}rest
#模糊查询, 并聚合, 聚合中经过missing 显示因为es从片中取数, 没有取到的数据
GET /logstash-jsy/nginx-access/_search
{
"size": 0,
"query": {
"multi_match": {
"query": "/drivingDetail",
"fields": [
"req_referer"
]
}
},
"aggs": {
"all_interests": {
"terms": {
"field": "geoip.city_name.keyword",
"size": 1000,
"missing": "N/A"
}
}
}
}orm
结果: ip
{
"key": "Dalian",
"doc_count": 6
},
{
"key": "N/A",
"doc_count": 2
}ci
#多条件查询string
GET /logstash-jsy/nginx-access/_search
{
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"geoip.country_name": "China"
}
},
{
"range": {
"@timestamp": {
"gt": "2017-08-14T00:00:00.000",
"lt": "2017-08-14T23:59:00.000",
"time_zone": "+08:00"
}
}
}
]
}
}
}it
#基本聚合
GET /logstash-jsy/nginx-access/_search
{
"aggs": {
"all_interests": {
"terms": { "field": "geoip.city_name" }
}
}
}form
#设置fielddata = true
PUT logstash-jsy/_mapping/nginx-access/
{
"properties": {
"nginx-access.geoip.city_name": {
"type": "text",
"fielddata": true
}
}
}
#date_histogram指定 extended_bounds
GET /logstash-jsy/nginx-access/_search
{
"size" : 0,
"aggs": {
"sales": {
"date_histogram": {
"field": "@timestamp",
"interval": "day" ,
"format": "yyyy-MM-dd",
"extended_bounds" : {
"min" : "2017-08-01",
"max" : "2017-08-07"
}
}
}
}
}
GET /logstash-jsy/nginx-access/_search
{
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"geoip.country_name": "China"
}
},
{
"range": {
"@timestamp": {
"gt": "2017-09-05T14:00:00.000",
"lt": "2017-09-05T15:00:00.000",
"time_zone": "+08:00"
}
}
}
]
}
},
"aggs" : {
"articles_over_time" : {
"date_histogram" : {
"field" : "@timestamp",
"interval" : "15s",
"format": "yyyy-MM-dd HH:mm:ss z",
"time_zone": "+08:00"
}
}
}
}
GET /logstash-jsy/nginx-access/_search
{
"size": 0,
"query": {
"match": {
"geoip.city_name": {
"query": "Chaoyang Nanjing",
"operator": "or"
}
}
},
"aggs": {
"all_interests": {
"terms": {
"field": "geoip.city_name.keyword"
}
}
}
}
GET /logstash-jsy/nginx-access/_search
{
"size": 0,
"query": {
"bool":{
"should":[
{ "match_phrase":{ "req_url":"/account/login"}},
{ "match_phrase":{ "req_url":"/account/register"}}
]
}
},
"aggs": {
"sales": {
"date_histogram": {
"field": "@timestamp",
"interval": "6h",
"format": "yyyy-MM-dd-HH"
}
}
}
}
GET /logstash-jsy/nginx-access/_search
{
"size": 0,
"query": {
"match_phrase": {
"req_url": "/account/login"
}
},
"aggs": {
"sales": {
"date_histogram": {
"field": "@timestamp",
"interval": "6h",
"format": "yyyy-MM-dd-HH"
}
}
}
}
形如:
((x) || (y)) && (z)
GET /logstash-jsy/nginx-access/_search { "size": 0, "query": { "bool": { "must": [ { "bool": { "should": [ { "match_phrase": { "req_url": "/account/login" } }, { "match_phrase": { "req_url": "/account/register" } } ] } }, { "match": { "geoip.city_name": "Beijing" } } ] } }, "aggs": { "sales": { "date_histogram": { "field": "@timestamp", "interval": "6h", "format": "yyyy-MM-dd-HH" } } } }