Elasticsearch日期之间的聚合字段

我想比较两个桶，并找到出现在第二个桶中的新事件。以下查询返回所提供的两个UNIX时间戳之间的“query.keyword”字段中的所有条目，但我希望UNIX时间戳与聚合部分本身分开。

GET _search
    {
      "size": 0,
      "query": {
        "range" :{
          "ts": {
            "gte":1535155200,
            "lte":1535414399
          }
        }
      },
      "aggs": {
        "domains": {
          "terms": {
            "field":"query.keyword"
          }
        }
      }
    }

我也尝试了这个，但收到了错误：

"Found two aggregation type definitions in [domains_prev]: [range] and [terms]",

GET _search
{
  "size": 0,
  "aggs": {
    "domains_prev": {
      "range" :{
        "field":"ts",
        "ranges": [
          {"to" :  1535414399},
          {"from" : 1535155200}
        ]
      },
      "terms": {
        "field":"query.keyword"
      }
    }
  }
}

目标是有类似的东西：

Agg1
"domains_prev"
"field":"query.keyword"
date:gte:timestamp, lte:timestamp

Agg2
"domains_today"
"field":"query.keyword"
date:today

show all "query.keyword" in agg2 that does not appear in agg1.

这是我用来实现预期结果的SQL查询：

select domains FROM table WHERE date >= 20171123 and domains NOT IN (SELECT domains FROM table WHERE date < 20171123 group by domains)