다음은 변수 평균 길이를 구하는 집계 쿼리.
GET iis_log/_search{ "size": 0, "aggs": { "NAME": { "date_histogram": { "field": "@timestamp", "fixed_interval": "6h", "time_zone": "Asia/Seoul" }, "aggs": { "avg_param_len": { "avg": { "field": "param_len" } } } }}결과는 다음과 같다.
{ "took" : 1, "timed_out" : false, "_shards" : { "total" : 1, "successful" : 1, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : { "value" : 10000, "relation" : "gte" }, "max_score" : null, "hits" : [ ] }, "aggregations" : { "NAME" : { "buckets" : [ { "key_as_string" : "2011-01-10T00:00:00.000+09:00", "key" : 1294585200000, "doc_count" : 23059, "avg_param_len" : { "value" : 30.699646643109542 } }, { "key_as_string" : "2011-01-10T06:00:00.000+09:00", "key" : 1294606800000, "doc_count" : 43065, "avg_param_len" : { "value" : 59.9764801297648 } }, { "key_as_string" : "2011-01-10T12:00:00.000+09:00", "key" : 1294628400000, "doc_count" : 14142, "avg_param_len" : { "value" : 61.711198428290764 } }, { "key_as_string" : "2011-01-10T18:00:00.000+09:00", "key" : 1294650000000, "doc_count" : 3039, "avg_param_len" : { "value" : 28.022099447513813 } }, { "key_as_string" : "2011-01-11T00:00:00.000+09:00", "key" : 1294671600000, "doc_count" : 19986, "avg_param_len" : { "value" : 32.1719298245614 } }, { "key_as_string" : "2011-01-11T06:00:00.000+09:00", "key" : 1294693200000, "doc_count" : 11552, "avg_param_len" : { "value" : 22.02202643171806 } }, { "key_as_string" : "2011-01-11T12:00:00.000+09:00", "key" : 1294714800000, "doc_count" : 9273, "avg_param_len" : { "value" : 57.35164835164835 } }, { "key_as_string" : "2011-01-11T18:00:00.000+09:00", "key" : 1294736400000, "doc_count" : 5227, "avg_param_len" : { "value" : 55.41836734693877 } }, { "key_as_string" : "2011-01-12T00:00:00.000+09:00", "key" : 1294758000000, "doc_count" : 35308, "avg_param_len" : { "value" : 52.79931584948689 } }, { "key_as_string" : "2011-01-12T06:00:00.000+09:00", "key" : 1294779600000, "doc_count" : 32713, "avg_param_len" : { "value" : 58.729517396184065 } }, { "key_as_string" : "2011-01-12T12:00:00.000+09:00", "key" : 1294801200000, "doc_count" : 12217, "avg_param_len" : { "value" : 41.99505928853755 } }, { "key_as_string" : "2011-01-12T18:00:00.000+09:00", "key" : 1294822800000, "doc_count" : 6005, "avg_param_len" : { "value" : 46.053016453382085 } } ] } }}다음은 bucket selector 기능을 이용해서 집계 결과에 조건을 준 쿼리.
GET iis_log/_search{ "size": 0, "aggs": { "NAME": { "date_histogram": { "field": "@timestamp", "fixed_interval": "6h", "time_zone": "Asia/Seoul" }, "aggs": { "avg_param_len": { "avg": { "field": "param_len" } }, "my_filter": { "bucket_selector": { "buckets_path": { "value_limit": "avg_param_len" }, "script": "params.value_limit > 60" } } } } }} 조건대로 60보다 큰 숫자만을 결과로 가져온다.
{ "took" : 1, "timed_out" : false, "_shards" : { "total" : 1, "successful" : 1, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : { "value" : 10000, "relation" : "gte" }, "max_score" : null, "hits" : [ ] }, "aggregations" : { "NAME" : { "buckets" : [ { "key_as_string" : "2011-01-10T12:00:00.000+09:00", "key" : 1294628400000, "doc_count" : 14142, "avg_param_len" : { "value" : 61.711198428290764 } } ] } }}SQL로 치면 이런 식.
select hour(timestamp), avg(param_len)from iis_loggroup by hour(timestamp)having avg(param_len) > 60문제는 해당 기능을 키바나가 지원하지 않는다(..) 참고로 스플렁크는 이렇게.
 |
| 조건 적용 전 |
 |
| 조건 적용 후 |
관련 글
댓글 없음:
댓글 쓰기