ElasticSearch - 如何在每个聚合桶中获取最小时间戳？

Question

我在 ElasticSearch 中有以下文档：

"ip": "192.168.10.12", "@timestamp": "2017-08-10T00:00:00.000Z", "states": "newyork", "user" : "admin"

"ip": "192.168.10.12", "@timestamp": "2017-08-10T01:25:00.000Z", "states": "California", "user" : "guest"

我尝试按用户使用 Elasticsearch 术语聚合 这是我所在的位置：

{
  "size":0,
  "query":{
     "bool":{
        "must":[
           {
              "term":{
                 "user":"admin"
              }
           },
           {
              "range":{
                 "@timestamp":{
                    "gte": "2017-08-10T00:00:00.000Z",
                    "lte": "2017-08-10T04:58:00.000Z"
                 }
              }
           }
        ]
     }
  },
  "aggs":{
     "states":{
        "terms":{
           "field":"states",
            "min_doc_count":8
        }
     }
  }
}

从查询中，将返回：

{
   "took": 1,
   "timed_out": false,
   "_shards": {
      "total": 1,
      "successful": 1,
      "failed": 0
   },
   "hits": {
      "total": 2,
      "max_score": 0,
      "hits": []
   },
   "aggregations": {
      "states": {
         "doc_count_error_upper_bound": 0,
         "sum_other_doc_count": 0,
         "buckets": [
            {
               "key": "New York",
               "doc_count": 200
            },
            {
               "key": "California",
               "doc_count": 10
            },

            {
               "key": "North Dakota",
               "doc_count": 125
            }
         ]
      }
   }
}

我想在每个桶中获得最小的@timestamp，

但是从返回中我可以得到每个桶“最小”@timestamp 吗？

Answer 1

您可以简单地添加一个min 度量子聚合

  "aggs":{
     "states":{
        "terms":{
           "field":"states",
            "min_doc_count":8
        }, 
        "aggs": {
            "min_timestamp": {
               "min": {
                  "field": "@timestamp"
               }
            }   
        }
     }
  }