elasticsearch copy_to字段与聚合的行为不符合预期

2023年11月4日 344次阅读

我有一个带有两个字符串字段的索引映射,field1和field2,都被声明为copy_to到另一个名为all_fields的字段. all_fields被索引为“not_analyzed”.

当我在all_fields上创建一个桶聚合时,我期待不同的桶,其中field1和field2的键连接在一起.相反,我得到了单独的桶,其中field1和field2的键是非连接的.

例:
制图:

  {
    "mappings": {
      "myobject": {
        "properties": {
          "field1": {
            "type": "string",
            "index": "analyzed",
            "copy_to": "all_fields"
          },
          "field2": {
            "type": "string",
            "index": "analyzed",
            "copy_to": "all_fields"
          },
          "all_fields": {
            "type": "string",
            "index": "not_analyzed"
          }
        }
      }
    }
  }

数据:

  {
    "field1": "dinner carrot potato broccoli",
    "field2": "something here",
  }


  {
    "field1": "fish chicken something",
    "field2": "dinner",
  }

聚合:

{
  "aggs": {
    "t": {
      "terms": {
        "field": "all_fields"
      }
    }
  }
}

结果:

...
"aggregations": {
    "t": {
        "doc_count_error_upper_bound": 0,
        "sum_other_doc_count": 0,
        "buckets": [
            {
                "key": "dinner",
                "doc_count": 1
            },
            {
                "key": "dinner carrot potato broccoli",
                "doc_count": 1
            },
            {
                "key": "fish chicken something",
                "doc_count": 1
            },
            {
                "key": "something here",
                "doc_count": 1
            }
        ]
    }
}

我期待着只有2个桶,鱼肉东西和晚餐胡萝卜土豆broccolisomehere

我究竟做错了什么?

最佳答案 您正在寻找的是两个字符串的连接. copy_to即使看起来这样做,也不是.使用copy_to,从概念上讲,您将从field1和field2创建一组值,而不是连接它们.

对于您的用例,您有两种选择:

>使用_source transformation
>执行脚本聚合

我建议使用_source转换,因为我认为它比编写脚本更有效.这意味着,您在索引时付出的代价要比执行大量脚本聚合要多.

对于_source转换:

PUT /lastseen
{
  "mappings": {
    "test": {
      "transform": {
        "script": "ctx._source['all_fields'] = ctx._source['field1'] + ' ' + ctx._source['field2']"
      }, 
      "properties": {
        "field1": {
          "type": "string"
        },
        "field2": {
          "type": "string"
        },
        "lastseen": {
          "type": "long"
        },
        "all_fields": {
          "type": "string",
          "index": "not_analyzed"
        }
      }
    }
  }
}

和查询:

GET /lastseen/test/_search
{
  "aggs": {
    "NAME": {
      "terms": {
        "field": "all_fields",
        "size": 10
      }
    }
  }
}

对于脚本聚合,更容易做(意思是,使用doc [‘field’].value而不是更昂贵的_source.field)将.raw子字段添加到field1和field2:

PUT /lastseen
{
  "mappings": {
    "test": { 
      "properties": {
        "field1": {
          "type": "string",
          "fields": {
            "raw": {
              "type": "string",
              "index": "not_analyzed"
            }
          }
        },
        "field2": {
          "type": "string",
          "fields": {
            "raw": {
              "type": "string",
              "index": "not_analyzed"
            }
          }
        },
        "lastseen": {
          "type": "long"
        }
      }
    }
  }
}

脚本将使用这些.raw子字段:

{
  "aggs": {
    "NAME": {
      "terms": {
        "script": "doc['field1.raw'].value + ' ' + doc['field2.raw'].value", 
        "size": 10,
        "lang": "groovy"
      }
    }
  }
}

如果没有.raw子字段(有意地将其作为not_analyzed),你将需要做这样的事情,这是更昂贵的:

{
  "aggs": {
    "NAME": {
      "terms": {
        "script": "_source.field1 + ' ' + _source.field2", 
        "size": 10,
        "lang": "groovy"
      }
    }
  }
}
点赞