如何解决使用 query_template 返回自定义字段的结果
我创建了一个 query_template 来获取每天的平均警报数,但它没有将 avg_count 结果返回给 logstash。当字段存在但没有自定义结果即不是字段(avg_count)时,我之前已经这样做了。 如何将 avg_count 值返回到 logstash (v 7.10) 或如何正确引用 avg_vcount 结果? 在开发工具中测试时,查询确实返回 avg_count。
Logstash 提取:
if [almcustomer] =~ ".+" {
elasticsearch {
hosts => "http://127.0.0.1:9200"
user => "user"
password => "password"
index => ["acsc-main-alerts-*"]
query_template => "/etc/logstash/conf.d/query_templates/query_average_alerts_per_day.json"
result_size => 1
fields => { "avg_count" => "average_alerts_per_day" }
}
}
查询模板(query_average_alerts_per_day.json):
{
"query": {
"bool": {
"must": [],"filter": []
}
},"aggs": {
"groupBy": {
"terms": {
"field": "almcustomer"
},"aggs": {
"docs_per_day": {
"date_histogram": {
"field": "@timestamp","fixed_interval": "1d"
}
},"avg_count": {
"avg_bucket": {
"buckets_path": "docs_per_day>_count"
}
}
}
}
}
}
开发工具结果:
{
"took" : 0,"timed_out" : false,"_shards" : {
"total" : 2,"successful" : 2,"skipped" : 0,"failed" : 0
},"hits" : {
"total" : {
"value" : 310,"relation" : "eq"
},"max_score" : null,"hits" : [ ]
},"aggregations" : {
"groupBy" : {
"doc_count_error_upper_bound" : 0,"sum_other_doc_count" : 0,"buckets" : [
{
"key" : "ALM","doc_count" : 310,"docs_per_day" : {
"buckets" : [
{
"key_as_string" : "2021-07-08T00:00:00.000Z","key" : 1625702400000,"doc_count" : 6
},{
"key_as_string" : "2021-07-09T00:00:00.000Z","key" : 1625788800000,"doc_count" : 304
}
]
}
"avg_count" : {
"value" : 155.0
}
}
]
}
}
}
非常感谢
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。