3.5.3.Rollup
创作人:杨景江
审稿人:朱永生
汇总作业( rollup jobs )是周期性执行的任务,通过汇总作业,可以将某些索引中的数据进行周期性自定义化聚合,然后将聚合后的数据写入到新的索引中,整个流程叫做 Rollup 。
使用场景:
汇总历史数据:
由于历史数据数据量大,占用磁盘成本高,相关业务方只关心近期几天的原始数据,历史数据不关心原始数据,只关心固定指标统计。为了节省成本,就可以通过 Rollup 操作将历史数据进行汇总,写入到新的索引,之后可以将历史索引删除( ILM 功能),进而节省大量成本
转换最佳时间:
由于数据量或机器硬件等原因,导致实时聚合查询耗时较长,可以通过在夜间或者准实时进行 Rollup 操作,将前一天索引或者几分钟前的数据进行汇总,写入到新索引(将毫秒级别数据汇总,转换为秒级甚至分钟级别),用户查询 Rollup 后新索引的数据,进而提升查询效率。
汇总历史数据功能限制:
汇总功能只允许使用以下聚合方式对字段进行分组:
l Date Histogram aggregation
l Histogram aggregation
l Terms aggregation (使用较多)
968 > 三、产品能力
数字字段只可以进行如下指标聚合:
l Min aggregation
l Max aggregation
l Sum aggregation
l Average aggregation
l Value Count aggregation
每个功能都要结合具体业务场景来使用,切忌为了使用功能而设计。
API 介绍
此处以统计 Elasticsearch 慢查数据功能为例进行介绍(敏感信息已经替换)
数据准备
索引 mapping 结构:
PUT es-slowlog-2021-04-21 { "mappings": { "_field_names": { "enabled": false }, "dynamic_templates": [ { "strings": { "match_mapping_type": "string", "mapping": { "ignore_above": 512, "type": "keyword" } 969 > 三、产品能力 } } ], "properties": { "@timestamp": { "type": "date" }, "cluster": { "type": "keyword", "ignore_above": 512 }, "host": { "properties": { "name": { "type": "keyword", "ignore_above": 512 } } }, "elasticsearch": { "properties": { "index": { "properties": { "name": { "type": "keyword", "ignore_above": 512 } } } } }, "timestamp_local": { "type": "date" } } } }
单条数据 demo 样例(与上边的 mapping 对应):
POST es-slowlog-2021-04-21/_doc { "cluster": "clustername-demo", "offset": 0, "log": { "level": "WARN" }, "prospector": { "type": "log" }, "source": "/home/elasticsearch/clustername-demo_index_search_slowlog.log", "message": "[2021-04-21T14:03:06,896][WARN ][i.s.s.query ] [host_name-demo] [basiclog-slowlog_2021-04-02][2] took[2.3s], took_millis[2307], total_hits[23129 hits], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[4], source[{\"size\":0,\"query\":{\"bool\":{\"filter\":[{\"match_all\":{\"boost\":1.0}},{\"match_phrase\":{\"logtype.keyword\":{\"query\":\"server\",\"slop\":0,\"zero_terms_query\":\"NONE\",\"boost\":1.0}}},{\"range\":{\"@timestamp\":{\"from\":\"2021-04-02T15:48:04.138Z\",\"to\":\"2021-04-02T16:03:04.138Z\",\"include_lower\":true,\"include_upper\":true,\"format\":\"strict_date_optional_time\",\"boost\":1.0}}}],\"adjust_pure_negative\":true,\"boost\":1.0}},\"_source\":{\"includes\":[],\"excludes\":[]},\"stored_fields\":\"*\",\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"date_time\"},{\"field\":\"time\",\"format\":\"date_time\"}],\"script_fields\":{},\"track_total_hits\":2147483647,\"aggregations\":{\"2\":{\"terms\":{\"field\":\"cluster.keyword\",\"size\":20,\"min_doc_count\":1,\"shard_min_doc_count\":0,\"show_term_doc_count_error\":false,\"order\":[{\"_count\":\"desc\"},{\"_key\":\"asc\"}]}}}}], id[],", "input": { "type": "log" }, "logtype": "slowlog", "log_type": "basic-slowlog", "timestamp_local": "2021-04-21T14:03:06.896+08:00", "@timestamp": "2021-04-21T14:03:06.896Z", "elasticsearch": { "node": { "name": "host_name-demo" }, "slowlog": { "took": "2.3s", "logger": "i.s.s.query " }, "index": { "name": "basiclog-slowlog_2021-04-02" }, "shard": { "id": "2" } }, "host": { "name": "host_name-demo" }, "beat": { "hostname": "beathostname-demo", "name": "beathostname-demo", "version": "6.5.4" }, "@version": "1", "event": { "duration": 2307000000, "created": "2021-04-21T06:59:11.934Z", "kind": "event", "category": "database", "type": "info" } }
在 Kibana 中配置 Index Patterns
注:最新版本 API 请参考官方文档:
https://www.elastic.co/guide/en/elasticsearch/reference/master/xpack-rollup.html
《Elastic Stack 实战手册》——三、产品能力——3.5 进阶篇——3.5.3.Rollup (2) https://developer.aliyun.com/article/1228769
