我正在尝试创建一个脚本字段,该脚本字段将计算两个时间戳之间的时间差,然后avg在该脚本字段上聚合一个。
avg
我首先尝试:
{ "query": { "filtered": { "query": { "match_all": {} }, "filter": { "and": [ { "exists": { "field": "time.new_time" } }, { "exists": { "field": "time.first_alert_time" } } ] } } }, "script_fields": { "timedifference": { "script": "doc['time.new_time'].value - doc['time.first_alert_time'].value" } }, "aggs": { "avg_timedifference": { "avg": { "field" : "timedifference" } } } }
null在合计平均值下产生价值avg_timedifference。
null
avg_timedifference
然后我尝试了:
{ "query": { "filtered": { "query": { "match_all": {} }, "filter": { "and": [ { "exists": { "field": "time.new_time" } }, { "exists": { "field": "time.first_alert_time" } } ] } } }, "script_fields": { "timedifference": { "script": "doc['time.new_time'].value - doc['time.first_alert_time'].value" } }, "aggs": { "avg_timedifference": { "avg": { "script" : "doc['timedifference'].value" } } } }
生成了一条错误消息,内容为:“在映射中找不到[timedifference]的字段”
简单地将脚本移到聚合上怎么样?
{ "query": { "filtered": { "query": { "match_all": {} }, "filter": { "and": [ { "exists": { "field": "time.new_time" } }, { "exists": { "field": "time.first_alert_time" } } ] } } }, "aggs": { "avg_timedifference": { "avg": { "script" : "Math.ceil(doc['time.new_time'].value - doc['time.first_alert_time'].value)" } } } }
