返回{ "error": { "root_cause": [ { "type": "parsing_exception", "reason": "Found two aggregation type definitions in [ll]: [sum_bucket] and [bucket_script]", "line": 63, "col": 38 } ], "type": "parsing_exception", "reason": "Found two aggregation type definitions in [ll]: [sum_bucket] and [bucket_script]", "line": 63, "col": 38 }, "status": 400 }
时间: 2024-01-05 17:15:31 浏览: 25
这个错误是因为在 `ll` 聚合中同时使用了 `sum_bucket` 和 `bucket_script` 聚合类型,这是不允许的。你可以修改 `ll`、`llsd` 和 `cksj` 聚合的定义,将 `sum_bucket` 和 `bucket_script` 分别放在不同的聚合中,以解决这个问题。下面是修改后的查询:
```
GET video_traffic_record/_search
{
"size": 0,
"query": {
"match_all": {}
},
"aggs": {
"domains": {
"terms": {
"field": "domain_name",
"size": 10,
"order": {
"count": "desc"
}
},
"aggs": {
"ports": {
"terms": {
"field": "http_port"
},
"aggs": {
"days": {
"date_histogram": {
"field": "TIME",
"interval": "day",
"format": "yyyy-MM-dd"
},
"aggs": {
"count": {
"value_count": {
"field": "TIME"
}
},
"ll_sum": {
"sum": {
"field": "ll"
}
},
"llsd_sum": {
"sum": {
"field": "llsd"
}
},
"cksj_sum": {
"sum": {
"field": "cksj"
}
}
}
},
"ll": {
"bucket_script": {
"buckets_path": {
"sum": "days>ll_sum"
},
"script": "params.sum / (1024 * 1024)"
}
},
"llsd": {
"bucket_script": {
"buckets_path": {
"sum": "days>llsd_sum"
},
"script": "params.sum / (1024 * 1024)"
}
},
"cksj": {
"bucket_script": {
"buckets_path": {
"sum": "days>cksj_sum"
},
"script": "params.sum / (1024 * 1024)"
}
}
}
},
"count": {
"sum_bucket": {
"buckets_path": "ports>days>count"
}
},
"ll_sum": {
"sum_bucket": {
"buckets_path": "ports>ll"
}
},
"llsd_sum": {
"sum_bucket": {
"buckets_path": "ports>llsd"
}
},
"cksj_sum": {
"sum_bucket": {
"buckets_path": "ports>cksj"
}
}
}
}
}
}
```
这个修改后的查询将会:
- 在每个 `http_port` 分组中,计算 `ll`、`llsd` 和 `cksj` 的总和,然后使用 `bucket_script` 聚合类型计算平均值。
- 计算每个 `domain_name` 分组的总 `count`、`ll`、`llsd` 和 `cksj`。
注意,这个查询假设 `TIME` 字段是一个 Unix 时间戳。如果你的时间字段格式不同,需要修改 `date_histogram` 聚合的 `format` 参数。