ElasticSearch 6.x 学习笔记：22.桶聚合

为了满足桶聚合多样性需求，修改文档如下。

DELETE my-indexPUT my-indexPUT my-index/persion/1{  "name":"张三",  "age":27,  "gender":"男",  "salary":15000,  "dep":"bigdata"}PUT my-index/persion/2{  "name":"李四",  "age":26,  "gender":"女",  "salary":15000,  "dep":"bigdata"}PUT my-index/persion/3{  "name":"王五",  "age":26,  "gender":"男",  "salary":17000,  "dep":"AI"}PUT my-index/persion/4{  "name":"刘六",  "age":27,  "gender":"女",  "salary":18000,  "dep":"AI"}PUT my-index/persion/5{  "name":"程裕强",  "age":31,  "gender":"男",  "salary":20000,  "dep":"bigdata"}PUT my-index/persion/6{  "name":"hadron",  "age":30,  "gender":"男",  "salary":20000,  "dep":"AI"}

https://www.elastic.co/guide/en/elasticsearch/reference/6.1/search-aggregations-bucket.html 在页面右下角可以看到各类具体的Bucket聚合连接

https://www.elastic.co/guide/en/elasticsearch/reference/6.1/search-aggregations-bucket-terms-aggregation.html A multi-bucket value source based aggregation where buckets are dynamically built - one per unique value. Terms聚合用于分组聚合。 【例子】根据薪资水平进行分组，统计每个薪资水平的人数

GET my-index/_search{  "size": 0,   "aggs": {    "group_count": {      "terms": {"field": "salary"}    }  }}

{  "took": 7,  "timed_out": false,  "_shards": {    "total": 5,    "successful": 5,    "skipped": 0,    "failed": 0  },  "hits": {    "total": 6,    "max_score": 0,    "hits": []  },  "aggregations": {    "group_count": {      "doc_count_error_upper_bound": 0,      "sum_other_doc_count": 0,      "buckets": [        {          "key": 15000,          "doc_count": 2        },        {          "key": 20000,          "doc_count": 2        },        {          "key": 17000,          "doc_count": 1        },        {          "key": 18000,          "doc_count": 1        }      ]    }  }}

【例子】统计上面每个分组的平均年龄

GET my-index/_search{  "size": 0,   "aggs": {    "group_count": {      "terms": {"field": "salary"},      "aggs":{        "avg_age":{          "avg":{"field": "age"}        }      }    }  }}

{  "took": 4,  "timed_out": false,  "_shards": {    "total": 5,    "successful": 5,    "skipped": 0,    "failed": 0  },  "hits": {    "total": 6,    "max_score": 0,    "hits": []  },  "aggregations": {    "group_count": {      "doc_count_error_upper_bound": 0,      "sum_other_doc_count": 0,      "buckets": [        {          "key": 15000,          "doc_count": 2,          "avg_age": {            "value": 26.5 }        },        {          "key": 20000,          "doc_count": 2,          "avg_age": {            "value": 30.5 }        },        {          "key": 17000,          "doc_count": 1,          "avg_age": {            "value": 26 }        },        {          "key": 18000,          "doc_count": 1,          "avg_age": {            "value": 27 }        }      ]    }  }}

【例子】统计每个部门的人数

GET my-index/_search{  "size": 0,   "aggs": {    "group_count": {      "terms": {"field": "dep"}    }  }}

{  "error": {    "root_cause": [      {        "type": "illegal_argument_exception",        "reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [dep] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."      }    ],    "type": "search_phase_execution_exception",    "reason": "all shards failed",    "phase": "query",    "grouped": true,    "failed_shards": [      {        "shard": 0,        "index": "my-index",        "node": "cNWkQjt9SzKFNtyx8IIu-A",        "reason": {          "type": "illegal_argument_exception",          "reason": "Fielddata is disabled on text fields by default. Set fielddata=true on [dep] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."        }      }    ]  },  "status": 400}

根据错误提示”Fielddata is disabled on text fields by default. Set fielddata=true on [dep] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.”可知，需要开启fielddata参数。只需要设置某个字段"fielddata": true即可。 此外，根据官方文档提示se the my_field.keyword field for aggregations, sorting, or in scripts，可以尝试my_field.keyword格式用于聚合操作。

GET my-index/_search{  "size": 0,   "aggs": {    "group_count": {      "terms": {"field": "dep.keyword"}    }  }}

{  "took": 55,  "timed_out": false,  "_shards": {    "total": 5,    "successful": 5,    "skipped": 0,    "failed": 0  },  "hits": {    "total": 6,    "max_score": 0,    "hits": []  },  "aggregations": {    "group_count": {      "doc_count_error_upper_bound": 0,      "sum_other_doc_count": 0,      "buckets": [        {          "key": "AI",          "doc_count": 3        },        {          "key": "bigdata",          "doc_count": 3        }      ]    }  }}

https://www.elastic.co/guide/en/elasticsearch/reference/6.1/search-aggregations-bucket-filter-aggregation.html Defines a multi bucket aggregation where each bucket is associated with a filter. Each bucket will collect all documents that match its associated filter. Filter聚合用于过滤器聚合，把满足过滤器条件的文档分到一组。

【例子】计算男人的平均年龄 也就是统计gender字段包含关键字“男”的文档的age平均值。

GET my-index/_search{  "size": 0,   "aggs": {    "group_count": {      "filter": {        "term":{"gender": "男"}      },      "aggs":{        "avg_age":{          "avg":{"field": "age"}        }      }    }  }}

{  "took": 2,  "timed_out": false,  "_shards": {    "total": 5,    "successful": 5,    "skipped": 0,    "failed": 0  },  "hits": {    "total": 6,    "max_score": 0,    "hits": []  },  "aggregations": {    "group_count": {      "doc_count": 4,      "avg_age": {        "value": 28.5      }    }  }}

https://www.elastic.co/guide/en/elasticsearch/reference/6.1/search-aggregations-bucket-filters-aggregation.html Defines a single bucket of all the documents in the current document set context that match a specified filter. Often this will be used to narrow down the current aggregation context to a specific set of documents.

【例子】统计body字段包含”error”和包含”warning”的文档数

PUT /logs/message/_bulk?refresh{ "index" : { "_id" : 1 } }{ "body" : "warning: page could not be rendered" }{ "index" : { "_id" : 2 } }{ "body" : "authentication error" }{ "index" : { "_id" : 3 } }{ "body" : "warning: connection timed out" }GET logs/_search{  "size": 0,  "aggs" : {    "messages" : {      "filters" : {        "filters" : {          "errors" :   { "match" : { "body" : "error"   }},          "warnings" : { "match" : { "body" : "warning" }}        }      }    }  }}

{  "took": 54,  "timed_out": false,  "_shards": {    "total": 5,    "successful": 5,    "skipped": 0,    "failed": 0  },  "hits": {    "total": 3,    "max_score": 0,    "hits": []  },  "aggregations": {    "messages": {      "buckets": {        "errors": {          "doc_count": 1 },        "warnings": {          "doc_count": 2 }      }    }  }}

【例子】统计男女员工的平均年龄

GET my-index/_search{  "size": 0,   "aggs": {    "group_count": {      "filters":{        "filters": [          {"match":{"gender": "男"}},          {"match":{"gender": "女"}}        ]      },      "aggs":{        "avg_age":{            "avg":{"field": "age"}        }      }    }  }}

{  "took": 5,  "timed_out": false,  "_shards": {    "total": 5,    "successful": 5,    "skipped": 0,    "failed": 0  },  "hits": {    "total": 6,    "max_score": 0,    "hits": []  },  "aggregations": {    "group_count": {      "buckets": [        {          "doc_count": 4,          "avg_age": {            "value": 28.5 }        },        {          "doc_count": 2,          "avg_age": {            "value": 26.5 }        }      ]    }  }}

https://www.elastic.co/guide/en/elasticsearch/reference/6.1/search-aggregations-bucket-range-aggregation.html

A multi-bucket value source based aggregation that enables the user to define a set of ranges - each representing a bucket. During the aggregation process, the values extracted from each document will be checked against each bucket range and “bucket” the relevant/matching document. Note that this aggregation includes the from value and excludes the to value for each range.

from..to区间范围是[from,to),也就是说包含from点，不包含to点 【例子】查询薪资在[0,10000),[10000,20000),[2000,+无穷大)三个范围的员工数

GET my-index/_search{  "size": 0,   "aggs": {    "group_count": {      "range": {        "field": "salary",        "ranges": [            {"to": 10000},            {"from": 10000,"to":20000},              {"from": 20000}        ]      }    }  }}

{  "took": 101,  "timed_out": false,  "_shards": {    "total": 5,    "successful": 5,    "skipped": 0,    "failed": 0  },  "hits": {    "total": 6,    "max_score": 0,    "hits": []  },  "aggregations": {    "group_count": {      "buckets": [        {          "key": "*-10000.0",          "to": 10000,          "doc_count": 0        },        {          "key": "10000.0-20000.0",          "from": 10000,          "to": 20000,          "doc_count": 4        },        {          "key": "20000.0-*",          "from": 20000,          "doc_count": 2        }      ]    }  }}

【例子】查询发布日期在2016-12-01之前、2016-12-01至2017-01-01、2017-01-01之后三个时间区间的文档数

GET website/_search{  "size": 0,   "aggs": {    "group_count": {      "range": {        "field": "postdate",        "format":"yyyy-MM-dd",        "ranges": [            {"to": "2016-12-01"},            {"from": "2016-12-01","to":"2017-01-01"},              {"from": "2017-01-01"}        ]      }    }  }}

{  "took": 24,  "timed_out": false,  "_shards": {    "total": 5,    "successful": 5,    "skipped": 0,    "failed": 0  },  "hits": {    "total": 9,    "max_score": 0,    "hits": []  },  "aggregations": {    "group_count": {      "buckets": [        {          "key": "*-2016-12-01",          "to": 1480550400000,          "to_as_string": "2016-12-01",          "doc_count": 0        },        {          "key": "2016-12-01-2017-01-01",          "from": 1480550400000,          "from_as_string": "2016-12-01",          "to": 1483228800000,          "to_as_string": "2017-01-01",          "doc_count": 7        },        {          "key": "2017-01-01-*",          "from": 1483228800000,          "from_as_string": "2017-01-01",          "doc_count": 2        }      ]    }  }}

https://www.elastic.co/guide/en/elasticsearch/reference/6.1/search-aggregations-bucket-daterange-aggregation.html A range aggregation that is dedicated for date values. The main difference between this aggregation and the normal range aggregation is that the from and to values can be expressed in Date Math expressions, and it is also possible to specify a date format by which the from and to response fields will be returned. Note that this aggregation includes the from value and excludes the to value for each range. 专用于日期值的范围聚合。 这种聚合和正常范围聚合的主要区别在于，起始和结束值可以在日期数学表达式中表示，并且还可以指定返回起始和结束响应字段的日期格式。 请注意，此聚合包含from值并排除每个范围的值。

【例子】计算一年前之前发表的博文数和从一年前以来发表的博文总数

GET website/_search{  "size": 0,   "aggs": {    "group_count": {      "range": {        "field": "postdate",        "format":"yyyy-MM-dd",        "ranges": [            {"to": "now-12M/M"},            {"from": "now-12M/M"}        ]      }    }  }}

{  "took": 44,  "timed_out": false,  "_shards": {    "total": 5,    "successful": 5,    "skipped": 0,    "failed": 0  },  "hits": {    "total": 9,    "max_score": 0,    "hits": []  },  "aggregations": {    "group_count": {      "buckets": [        {          "key": "*-2017-01-01",          "to": 1483228800000,          "to_as_string": "2017-01-01",          "doc_count": 7        },        {          "key": "2017-01-01-*",          "from": 1483228800000,          "from_as_string": "2017-01-01",          "doc_count": 2        }      ]    }  }}

https://www.elastic.co/guide/en/elasticsearch/reference/6.1/search-aggregations-bucket-missing-aggregation.html

A field data based single bucket aggregation, that creates a bucket of all documents in the current document set context that are missing a field value (effectively, missing a field or having the configured NULL value set). This aggregator will often be used in conjunction with other field data bucket aggregators (such as ranges) to return information for all the documents that could not be placed in any of the other buckets due to missing field data values. 基于字段数据的单桶集合，创建当前文档集上下文中缺少字段值（实际上缺少字段或设置了配置的NULL值）的所有文档的桶。 此聚合器通常会与其他字段数据存储桶聚合器（如范围）一起使用，以返回由于缺少字段数据值而无法放置在其他存储桶中的所有文档的信息。

沁言学术

你的论文写作AI助理，永久免费文献管理工具，认准沁言学术

下载

PUT my-index/persion/7{  "name":"test",  "age":30,  "gender":"男"}PUT my-index/persion/8{  "name":"abc",  "age":28,  "gender":"女"}PUT my-index/persion/9{  "name":"xyz",  "age":32,  "gender":"男",  "salary":null,  "dep":null}

salary字段缺少的文档

GET my-index/_search{  "size": 0,   "aggs": {    "noDep_count": {      "missing": {"field": "salary"}    }  }}

{  "took": 29,  "timed_out": false,  "_shards": {    "total": 5,    "successful": 5,    "skipped": 0,    "failed": 0  },  "hits": {    "total": 9,    "max_score": 0,    "hits": []  },  "aggregations": {    "noDep_count": {      "doc_count": 3    }  }}

https://www.elastic.co/guide/en/elasticsearch/reference/6.1/search-aggregations-bucket-children-aggregation.html

A special single bucket aggregation that selects child documents that have the specified type, as defined in a join field. 一个特殊的单桶集合，用于选择具有指定类型的子文档，如join字段中定义的。

这种聚合有一个单一的选择：type - 应该选择的子类型.

【例子】 （1）索引定义 下面通过join字段定义了一个单一关系，question 是answer的父文档。

PUT join_index{  "mappings": {    "doc": {      "properties": {        "my_join_field": {           "type": "join",          "relations": {            "question": "answer"           }        }      }    }  }}

（2）父文档question

PUT join_index/doc/1?refresh{  "text": "This is a question",  "my_join_field": {    "name": "question"   }}PUT join_index/doc/2?refresh{  "text": "This is a another question",  "my_join_field": {    "name": "question"  }}

（3）子文档answer

PUT join_index/doc/3?routing=1&refresh {  "text": "This is an answer",  "my_join_field": {    "name": "answer",     "parent": "1"   }}PUT join_index/doc/4?routing=1&refresh{  "text": "This is another answer",  "my_join_field": {    "name": "answer",    "parent": "1"  }}

（4）统计子文档数量

POST join_index/_search{  "size": 0,   "aggs": {    "to-answers": {        "children": {          "type" : "answer"         }    }  }}

{  "took": 4,  "timed_out": false,  "_shards": {    "total": 5,    "successful": 5,    "skipped": 0,    "failed": 0  },  "hits": {    "total": 4,    "max_score": 0,    "hits": []  },  "aggregations": {    "to-answers": {      "doc_count": 2    }  }}

https://www.elastic.co/guide/en/elasticsearch/reference/6.1/search-aggregations-bucket-global-aggregation.html

Defines a single bucket of all the documents within the search execution context. This context is defined by the indices and the document types you’re searching on, but is not influenced by the search query itself.

NOTE：Global aggregators can only be placed as top level aggregators because it doesn’t make sense to embed a global aggregator within another bucket aggregator.

https://www.elastic.co/guide/en/elasticsearch/reference/6.1/search-aggregations-bucket-histogram-aggregation.html

https://www.elastic.co/guide/en/elasticsearch/reference/6.1/search-aggregations-bucket-iprange-aggregation.html

Just like the dedicated date range aggregation, there is also a dedicated range aggregation for IP typed fields:

https://www.elastic.co/guide/en/elasticsearch/reference/6.1/search-aggregations-bucket-nested-aggregation.html

A special single bucket aggregation that enables aggregating nested documents.

For example, lets say we have an index of products, and each product holds the list of resellers - each having its own price for the product. The mapping could look like: