Elasticsearch 聚合Aggregations API

1. Trems:多值聚合,根据文档动态构建桶,对应数据中group by的功能,该聚合不太准确

  A. 请求:GET /_search

  B. 参数

    size:返回文档的个数,默认10,size值越大,数据越准确,伴随成本也越高;

    order:指定了返回结果的排序方式;

    

  C. kibana操作

  D. java编码

 @Override
    public List findExternalAttackIpByHostId(String hostId) throws Exception {
        String[] hostArr = hostId.split(StrUtil.UNDERLINE);
        SearchRequest searchRequest = new SearchRequest("index-*");
        SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder();
        // 查询条件
        BoolQueryBuilder boolQueryBuilder = QueryBuilders.boolQuery()
                .filter(QueryBuilders.termQuery("data.ids.event_direction", 2))
                .filter(QueryBuilders.termQuery("data.se.device_group", hostArr[0]))
                .filter(QueryBuilders.termQuery("data.dstip", hostArr[1]));
        searchSourceBuilder.query(boolQueryBuilder);
        // 不需要返回中间文档的内容
        searchSourceBuilder.size(0);
        String[] includeFields = new String[]{"data.srcip"};
        // 去重IP
        AggregationBuilder aggregationBuilder = AggregationBuilders.terms("terms").field("data.srcip").size(Integer.MAX_VALUE)
                .subAggregation(AggregationBuilders.topHits("topHits").fetchSource(includeFields, null).size(1));
        searchSourceBuilder.aggregation(aggregationBuilder);
        searchRequest.source(searchSourceBuilder);
        SearchResponse searchResponse = restHighLevelClient.search(searchRequest, RequestOptions.DEFAULT);
        ParsedLongTerms parsedLongTerms = searchResponse.getAggregations().get("terms");
        List list = parsedLongTerms.getBuckets().stream().map(bucket -> {
            TopHits topHits = bucket.getAggregations().get("topHits");
            return ((Map) topHits.getHits().getHits()[0].getSourceAsMap().get("data")).get("srcip");
        }).collect(Collectors.toList());

        return list;
    }

2. Top Hits:获取排名靠前的聚合集

  A. 请求:POST /sales/_search

  B. 参数

    form:开始位置数

    size:返回匹配数的最大量,默认值为3

    sort:排序

  C. kibnana操作

  D. java编写:见Terms聚合

可参考:ES 聚合官网地址

你可能感兴趣的:(Elasticsearch 聚合Aggregations API)