多条件分组聚合查询
import org.elasticsearch.search.aggregations.*;
SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder();
searchSourceBuilder.query(QueryBuilders.boolQuery()
.must(QueryBuilders.rangeQuery("timestamp")
.timeZone("GMT+8")
.gte(startTime)
.lte(endTime))
);
// 聚合条件,text类型的字段聚合需要利用keyword
TermsAggregationBuilder aggregation = AggregationBuilders.terms("by_clientip").field("clientip.keyword")
.subAggregation(AggregationBuilders.terms("by_http_host").field("http_host.keyword")
.subAggregation(AggregationBuilders.terms("by_http_user_agent").field("http_user_agent.keyword")
.subAggregation(AggregationBuilders.max("by_timestamp").field("timestamp")
)));
searchSourceBuilder.aggregation(aggregation);
searchSourceBuilder.timeout(new TimeValue(60, TimeUnit.SECONDS));
searchSourceBuilder.sort(new FieldSortBuilder("timestamp").order(SortOrder.DESC));
searchRequest.source(searchSourceBuilder);
searchRequest.indicesOptions(IndicesOptions.lenientExpandOpen());
SearchResponse searchResponse = restHighLevelClient.search(searchRequest, RequestOptions.DEFAULT);
List<Map<String, Object>> mapList = new ArrayList<>();
Terms ipTerms = searchResponse.getAggregations().get("by_clientip");
for (Terms.Bucket ipBucket : ipTerms.getBuckets()) {
String ip = ipBucket .getKeyAsString();
Terms hostTerms = ipBucket.getAggregations().get("by_http_host");
for (Terms.Bucket ob : hostTerms.getBuckets()) {
String host= ob.getKeyAsString();
Terms uaTerms = ob.getAggregations().get("by_http_user_agent");
for (Terms.Bucket o : uaTerms.getBuckets()) {
String ua = ((Terms.Bucket) o).getKeyAsString();
Max timeTerms = o.getAggregations().get("by_timestamp");
Map<String, Object> map = new HashMap<>();
map.put("id", UUID.randomUUID().toString().replaceAll("-", ""));
map.put("clientIp", ip);
map.put("timestamp", timeTerms.getValue());
map.put("userAgent", ua);
mapList.add(map);
}
}
}