Unable to match data, e.g. `/service/${id}`

LiuDui · March 20, 2020, 6:09am

Dev Tools

GET http-log/kong/_search
{
  "query": {
    "match": {
      "request.uri": "/service"
    }
  }, 
  "size": 0, 
  "aggs": {
    "group": {
      "terms": {
        "field": "request.uri.keyword",
        "size": 20
      }
    }
  }
}

Output

  "aggregations": {
    "group": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": [
        {
          "key": "/service/3",
          "doc_count": 8
        },
        {
          "key": "/service/10",
          "doc_count": 6
        },
        {
          "key": "/service/26",
          "doc_count": 2
        },
        {
          "key": "/service/1",
          "doc_count": 1
        },
        {
          "key": "/service/2",
          "doc_count": 1
        }
      ]
    }
  }

The following keys are all log data /service/${id} generated by the same API, but they are divided into different keys and how do I match them together?

/service/3
/service/10
/service/26
/service/1
/service/2

LiuDui · March 20, 2020, 6:12am

Looking forward to your reply

LiuDui · March 20, 2020, 6:14am

Container deployment

docker.elastic.co/kibana/kibana:6.3.2
docker.elastic.co/elasticsearch/elasticsearch:6.3.2
OS: centos7

spinscale · March 20, 2020, 9:20am

Elasticsearch does not have the notion of grouping by default. There are two approaches to this. First, add another field in your indexing process that only indexes the first part of the URL (/service/ in this case and then group by that one), second, use a script in the terms aggregation, that is only returning the first part of the URL. Note that this will be rather slow and is not recommended, when you execute this query often, but can help you to verify this idea.

Hope this helps!

LiuDui · March 30, 2020, 9:40am

thanks！

system · April 27, 2020, 9:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.