elasticsearch - 在弹性查询中访问数组

问题描述

我有包含数组的文档 - 有时有重复

   {
        "_index" : "indexx_v1-2020.11",
        "_type" : "x-logs",
        "_id" : "wZ_p_XUBV4a6COay8wWzJ",
        "_score" : 10.089222,
        "_source" : {
          "actiontype" : "doit",
          "geoip" : {
              // geographic data
          },
          "data" : {
            "field" : [
              "foo",
              "bar",
              "foo",
              "bar"
            ],
          },
          "@version" : "1",
          "header" : {
            "product" : "our_product",
            "processGUID" : "6528",
          }
        }
      },

      {
        "_index" : "indexx_v1-2020.11",
        "_type" : "x-logs",
        "_id" : "xJq-_XVWV3f6COaXnRqx",
        "_score" : 9.089443,
        "_source" : {
          "actiontype" : "doit",
          "geoip" : {
              // geographic data
          },
          "data" : {
            "field" : [
              "foo",
              "bar"
            ],
          },
          "@version" : "1",
          "header" : {
            "product" : "our_product",
            "processGUID" : "3456",
          }
        }
      },

如果我使用带有doc语法重复的无痛脚本访问这些字段：

所以

doc['data.field'].length

两个文档都返回 2。

这使我无法使用脚本进行过滤，因为此表达式永远不会为真

"script": {
   "script" : { 
      "inline": """
          return doc['data.field'].length > 2 &&
                 doc['data.field'][2] == 'foo' &&
                 doc['data.field'][3] == 'bar';
           }
      }

任何提示 newbee 过滤这些不同的文档或构建聚合以将这些计算为变体

foo/bar           : 1 document
foo/bar/foo/bar   : 1 document

谢谢

标签： elasticsearchkibana