无痛脚本来获取两个日志条目之间的时差,这些日志条目之间用唯一ID隔开

问题描述 投票:0回答:1

我正在尝试获取两个日志条目(如RequestExecuted和RequestReceived)之间的时差,并使用文件名MessageIdentifier。这些值由名为TransactionId的唯一ID链接。下面是我的逻辑代码。

int timetaken=0;      
int start=0;      
String TransactionId;      
int end=0;   

for(int i = 0; i < 10; ++i){        
    if (doc['dissect.MessageIdentifier'].value[i]=='RequestReceived') {          
        start=params._source.dissect.timestamp[i];          
        TransactionId=params._source.dissect.TransactionId[i];
     }        
    if( doc['dissect.MessageIdentifier'].value[i] =='RequestExecuted' 
        && params._source.dissect.TransactionId == TransactionId) {          
            end=params._source.dissect.timestamp[i];          
            timetaken = end - start; 
            return timetaken;
    }
}

当我编译我的脚本时,它给了我一个错误:

lang": "painless",
    "caused_by": {
     "type": "illegal_argument_exception",
     "reason": "Attempting to address a non-array-like type [java.lang.String] as an array."

这里是索引段:

enter image description here

非常感谢您的帮助。

elasticsearch elasticsearch-painless kibana-7
1个回答
1
投票

假设您的dissect字段是嵌套对象的数组,您可以执行以下操作:

创建索引

PUT dissect
{
  "mappings": {
    "properties": {
       "dissect" : {
         "type": "nested", 
          "properties" : {
            "MessageIdentifier" : {
              "type" : "text",
              "fielddata": true,
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            },
            "TransationId" : {
              "type" : "text",
              "fielddata": true,
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            },
            "timestamp" : {
              "type" : "date"
            }
          }
        }
    }
  }
}

同步样本

POST dissect/_doc
{
  "dissect": [
    {
      "MessageIdentifier": "abc",
      "timestamp": 200,
      "TransationId": "xyz"
    },
    {
      "MessageIdentifier": "RequestReceived",
      "timestamp": 300,
      "TransationId": "xyz"
    },
    {
      "MessageIdentifier": "RequestExecuted",
      "timestamp": 400,
      "TransationId": "xyz"
    }
  ]
}

运行脚本字段

GET dissect/_search
{
  "script_fields": {
    "timetaken": {
      "script": {
        "source": """
        int timetaken = 0;      
        int start = 0;      
        String TransactionId;      
        int end = 0;   

        for (def dissect_item : params._source['dissect']) {
          if (dissect_item['MessageIdentifier'] == 'RequestReceived') {          
                start = dissect_item['timestamp'];          
                TransactionId = dissect_item['TransactionId'];
            }

            if( dissect_item['MessageIdentifier'] =='RequestExecuted' 
                && dissect_item['TransactionId'] == TransactionId) {          
                    end = dissect_item['timestamp'];          
                    timetaken = end - start; 
                    return timetaken;
            }
        }
        """
      }
    }
  }
}

屈服

[
  {
    "_index":"dissect",
    "_type":"_doc",
    "_id":"_v7u43EBW-D5QnrWmjtM",
    "_score":1.0,
    "fields":{
      "timetaken":[
        100              <-----
      ]
    }
  }
]

关键要点:您不想遍历10的硬编码长度,而是要复制为for (def dissect_item : params._source['dissect'])

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.