一、按sum聚合的结果做排序
{
"
query":
{
"match_all": {}
},
"
aggregations":
{
"leo": {
"terms": {
"script": "_source.time.split(' ')[0]+':'+_source.workflow",
"order": {
"leo2": "asc" }
},
"aggregations": {
"leo2": {
"sum": { "field": "errcode" } }
}
}
}
}
二、按时间粒度做聚合
{
"query": {
"match_all": {}
},
"aggregations": {
"agg": {
"date_histogram": {
"field":
"time",
"interval":
"1h",
"min_doc_count":
0,
"format":
"yyyy-MM-dd HH:mm:ss"
},
"aggregations": {
"max-userrate": {
"max": {
"field":
"userrate"
}
},
"max-bandwidthrate": {
"max": {
"field":
"bandwidthrate"
}
},
"max-spacerate": {
"max": {
"field":
"spacerate"
}
}
}
}
}
}
{
"size":
1,
"query": {
"match_all": {}
},
"aggregations": {
"agg": {
"date_histogram": {
"field":
"logtime",
"interval":
"1d",
"min_doc_count":
0,
"format":
"yyyyMMddHHmmss"
},
"aggregations": {
"agg1": {
"date_histogram": {
"field":
"logtime",
"interval":
"5m",
"min_doc_count":
0,
"format":
"yyyyMMddHHmmss"
}
}
}
}
}
}
Java API为
switch(particle)
{
case Constant
.particle_10m:
aggregation = AggregationBuilders
.dateHistogram(
"agg")
.field(
"time")
.interval(DateHistogram
.Interval.minutes(
10))
.format(
"yyyy-MM-dd HH:mm:ss")
.minDocCount(
0)
break
case Constant
.particle_1h:
aggregation = AggregationBuilders
.dateHistogram(
"agg")
.field(
"time")
.interval(DateHistogram
.Interval.HOUR)
.format(
"yyyy-MM-dd HH:mm:ss")
.minDocCount(
0)
break
case Constant
.particle_1d:
aggregation = AggregationBuilders
.dateHistogram(
"agg")
.field(
"time")
.interval(DateHistogram
.Interval.DAY)
.format(
"yyyy-MM-dd HH:mm:ss")
.minDocCount(
0)
break
case Constant
.particle_1w:
aggregation = AggregationBuilders
.dateHistogram(
"agg")
.field(
"time")
.interval(DateHistogram
.Interval.WEEK)
.format(
"yyyy-MM-dd HH:mm:ss")
.minDocCount(
0)
break
case Constant
.particle_1M:
aggregation = AggregationBuilders
.dateHistogram(
"agg")
.field(
"time")
.interval(DateHistogram
.Interval.MONTH)
.format(
"yyyy-MM-dd HH:mm:ss")
.minDocCount(
0)
break
case Constant
.particle_1s:
aggregation = AggregationBuilders
.dateHistogram(
"agg")
.field(
"time")
.interval(DateHistogram
.Interval.QUARTER)
.format(
"yyyy-MM-dd HH:mm:ss")
.minDocCount(
0)
break
default:
}
三、按时间粒度做双重聚合后按sum排序
{
"
size":
0,
"
query":
{
"match_all": {}
},
"
aggregations":
{
"agg1": {
"date_histogram": {
"field": "logtime",
"interval": "1d",
"min_doc_count": 0,
"format": "yyyy-MM-dd HH:mm:ss"
},
"aggregations": {
"agg2": {
"date_histogram": { "field": "logtime", "interval": "5m", "min_doc_count": 0, "format": "yyyy-MM-dd HH:mm:ss", "order":{ "leo2":"asc" } },
"aggregations": { "leo2": { "sum": { "field": "totalsum" } } } }
}
}
}
}
