需求
比如说我有 city, source, company, user等字段, 然后需要根据 user 字段来查出 各城市对应的 source, company字段, 即同样条件不同字段聚合, 如下
user city company user city source
需要同时返回这两种聚合结果, 要怎么实现呢
实现
{ "aggs": { "city": { # 第一层聚合city, 建议aggs_fied与聚合字段一致或相似, 方便后面取值 "terms": { "field": "city", "size": 100 # size不写默认是10, 建议写一个较大的数值 } "aggs": { "company": { # 第二层 同时聚合 company和 source "terms": { "field": "company", "size": 100 } }, "source": { # 第二层 同时聚合 company和 source "terms": { "field": "source", "size": 100 } } } } }, "query": { "bool": { "must": [ { "term": { "user": [ "1" ] } } ] } }, "size": 0 # size为0不会展示 hits, 只会展示聚合结果 }
聚合出来的结果是这个样子的
{ "took": 2, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": 292, "max_score": 0, "hits": [] }, "aggregations": { "city": { "doc_count_error_upper_bound": 0, "sum_other_doc_count": 0, "buckets": [ { "key": "北京", # 城市是北京 "doc_count": 292, "company": { # 这是city+company的聚合结果 "doc_count_error_upper_bound": 0, "sum_other_doc_count": 0, "buckets": [ { "key": 19, # 用户1在北京下面company=19的有262条数据 "doc_count": 262 }, { "key": 16, "doc_count": 14 } ] }, "source": { # 这是city+source的聚合结果 "doc_count_error_upper_bound": 0, "sum_other_doc_count": 0, "buckets": [ { "key": 68, # 用户1在北京下面source=68的有4条数据 "doc_count": 4 }, { "key": 67, "doc_count": 3 }, { "key": 79, "doc_count": 3 }, { "key": 65, "doc_count": 1 } ] } } ] } } }
结论
是不是很简单方便啊, 语句结构也很简单, 即
如果是往下聚合则继续在 aggs的聚合下面继续写aggs
{ "aggs": { "aggs_field": { "terms": {}, "aggs": { "aggs_field": {} } } } }
如果是希望当前值保持跟上一层聚合, 则在当前aggs下继续平行写 聚合字段(aggs_field)
{ "aggs": { "aggs_field": { "terms": {}, "aggs": { "aggs_field": {}, "aggs_field2": {}, "aggs_field3": {} } } } }
