1. Trems:多值聚合,根据文档动态构建桶,对应数据中group by的功能,该聚合不太准确
A. 请求:GET /_search
B. 参数
size:返回文档的个数,默认10,size值越大,数据越准确,伴随成本也越高;
order:指定了返回结果的排序方式;
C. kibana操作
D. java编码
@Override public List<String> findExternalAttackIpByHostId(String hostId) throws Exception { String[] hostArr = hostId.split(StrUtil.UNDERLINE); SearchRequest searchRequest = new SearchRequest("index-*"); SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder(); // 查询条件 BoolQueryBuilder boolQueryBuilder = QueryBuilders.boolQuery() .filter(QueryBuilders.termQuery("data.ids.event_direction", 2)) .filter(QueryBuilders.termQuery("data.se.device_group", hostArr[0])) .filter(QueryBuilders.termQuery("data.dstip", hostArr[1])); searchSourceBuilder.query(boolQueryBuilder); // 不需要返回中间文档的内容 searchSourceBuilder.size(0); String[] includeFields = new String[]{"data.srcip"}; // 去重IP AggregationBuilder aggregationBuilder = AggregationBuilders.terms("terms").field("data.srcip").size(Integer.MAX_VALUE) .subAggregation(AggregationBuilders.topHits("topHits").fetchSource(includeFields, null).size(1)); searchSourceBuilder.aggregation(aggregationBuilder); searchRequest.source(searchSourceBuilder); SearchResponse searchResponse = restHighLevelClient.search(searchRequest, RequestOptions.DEFAULT); ParsedLongTerms parsedLongTerms = searchResponse.getAggregations().get("terms"); List<String> list = parsedLongTerms.getBuckets().stream().map(bucket -> { TopHits topHits = bucket.getAggregations().get("topHits"); return ((Map<String, String>) topHits.getHits().getHits()[0].getSourceAsMap().get("data")).get("srcip"); }).collect(Collectors.toList()); return list; }
2. Top Hits:获取排名靠前的聚合集
A. 请求:POST /sales/_search
B. 参数
form:开始位置数
size:返回匹配数的最大量,默认值为3
sort:排序
C. kibnana操作
D. java编写:见Terms聚合
可参考:ES 聚合官网地址