在 Kibana KQL 中加入查询

问题描述 投票:0回答:1

我在 ES 中有三个日志

{"@timestamp":"2022-07-19T11:24:16.274073+05:30","log":{"level":200,"logger":"production","message":"BUY_ITEM1","context":{"user_id":31312},"datetime":"2022-07-19T11:24:16.274073+05:30","extra":{"ip":"127.0.0.1"}}}

{"@timestamp":"2022-07-19T11:24:16.274073+05:30","log":{"level":200,"logger":"production","message":"BUY_ITEM2","context":{"user_id":31312},"datetime":"2022-07-19T11:24:16.274073+05:30","extra":{"ip":"127.0.0.1"}}}

{"@timestamp":"2022-07-19T11:24:16.274073+05:30","log":{"level":200,"logger":"production","message":"CLICK_ITEM3","context":{"user_id":31312},"datetime":"2022-07-19T11:24:16.274073+05:30","extra":{"ip":"127.0.0.1"}}}

我可以通过在Kibana的KQL中查询

Item1
来获取购买
log.message: "BUY_ITEM1"
的用户。

如何获取同时具有 

BUY_ITEM1
BUY_ITEM2
的 user_ids ?

elasticsearch kibana
1个回答
1
投票

Tldr;

Join
中存在的查询在 
SQL
中实际上不可能存在,它们
非常有限
您需要解决这个问题。

解决办法

您可以对他们购买的所有产品的

Elasticsearch

进行聚合

user_id


这会给你以下结果


GET /73031860/_search
{
  "query": {
    "terms": {
      "log.message.keyword": [
        "BUY_ITEM1",
        "BUY_ITEM2"
      ]
    }
  },
  "size": 0,
  "aggs": {
    "users": {
      "terms": {
        "field": "log.context.user_id",
        "size": 10
      },
      "aggs": {
        "products": {
          "terms": {
            "field": "log.message.keyword",
            "size": 10
          }
        }
      }
    }
  }
}


    

      

      
    

  

  

    
最新问题


  





  

    © www.soinside.com 2019 - 2024. All rights reserved.