Home Explore Help
Register Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: d5b03f668b
Branches Tags
elasticsearch
/
docs
/
reference
/
aggregations
/
metrics
/
top-metrics-aggregation.asciidoc

top-metrics-aggregation.asciidoc 8.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401 
  1. [role="xpack"]
    2. 

  2. [testenv="basic"]
    3. 

  3. [[search-aggregations-metrics-top-metrics]]
    4. 

  4. === Top Metrics Aggregation
    5. 

  5. 

  6. The `top_metrics` aggregation selects metrics from the document with the largest or smallest "sort"
    7. 

  7. value. For example, this gets the value of the `m` field on the document with the largest value of `s`:
    8. 

  8. 

  9. [source,console,id=search-aggregations-metrics-top-metrics-simple]
    10. 

  10. ----
    11. 

  11. POST /test/_bulk?refresh
    12. 

  12. {"index": {}}
    13. 

  13. {"s": 1, "m": 3.1415}
    14. 

  14. {"index": {}}
    15. 

  15. {"s": 2, "m": 1.0}
    16. 

  16. {"index": {}}
    17. 

  17. {"s": 3, "m": 2.71828}
    18. 

  18. POST /test/_search?filter_path=aggregations
    19. 

  19. {
    20. 

  20.   "aggs": {
    21. 

  21.     "tm": {
    22. 

  22.       "top_metrics": {
    23. 

  23.         "metrics": {"field": "m"},
    24. 

  24.         "sort": {"s": "desc"}
    25. 

  25.       }
    26. 

  26.     }
    27. 

  27.   }
    28. 

  28. }
    29. 

  29. ----
    30. 

  30. 

  31. Which returns:
    32. 

  32. 

  33. [source,js]
    34. 

  34. ----
    35. 

  35. {
    36. 

  36.   "aggregations": {
    37. 

  37.     "tm": {
    38. 

  38.       "top": [ {"sort": [3], "metrics": {"m": 2.718280076980591 } } ]
    39. 

  39.     }
    40. 

  40.   }
    41. 

  41. }
    42. 

  42. ----
    43. 

  43. // TESTRESPONSE
    44. 

  44. 

  45. `top_metrics` is fairly similar to <<search-aggregations-metrics-top-hits-aggregation, `top_hits`>>
    46. 

  46. in spirit but because it is more limited it is able to do its job using less memory and is often
    47. 

  47. faster.
    48. 

  48. 

  49. ==== `sort`
    50. 

  50. 

  51. The `sort` field in the metric request functions exactly the same as the `sort` field in the
    52. 

  52. <<sort-search-results, search>> request except:
    53. 

  53. * It can't be used on <<binary,binary>>, <<flattened,flattened>>, <<ip,ip>>,
    54. 

  54. <<keyword,keyword>>, or <<text,text>> fields.
    55. 

  55. * It only supports a single sort value so which document wins ties is not specified.
    56. 

  56. 

  57. The metrics that the aggregation returns is the first hit that would be returned by the search
    58. 

  58. request. So,
    59. 

  59. 

  60. `"sort": {"s": "desc"}`:: gets metrics from the document with the highest `s`
    61. 

  61. `"sort": {"s": "asc"}`:: gets the metrics from the document with the lowest `s`
    62. 

  62. `"sort": {"_geo_distance": {"location": "35.7796, -78.6382"}}`::
    63. 

  63.   gets metrics from the documents with `location` *closest* to `35.7796, -78.6382`
    64. 

  64. `"sort": "_score"`:: gets metrics from the document with the highest score
    65. 

  65. 

  66. ==== `metrics`
    67. 

  67. 

  68. `metrics` selects the fields of the "top" document to return. You can request
    69. 

  69. a single metric with something like `"metric": {"field": "m"}` or multiple
    70. 

  70. metrics by requesting a list of metrics like `"metric": [{"field": "m"}, {"field": "i"}`.
    71. 

  71. Here is a more complete example:
    72. 

  72. 

  73. [source,console,id=search-aggregations-metrics-top-metrics-list-of-metrics]
    74. 

  74. ----
    75. 

  75. PUT /test
    76. 

  76. {
    77. 

  77.   "mappings": {
    78. 

  78.     "properties": {
    79. 

  79.       "d": {"type": "date"}
    80. 

  80.     }
    81. 

  81.   }
    82. 

  82. }
    83. 

  83. POST /test/_bulk?refresh
    84. 

  84. {"index": {}}
    85. 

  85. {"s": 1, "m": 3.1415, "i": 1, "d": "2020-01-01T00:12:12Z"}
    86. 

  86. {"index": {}}
    87. 

  87. {"s": 2, "m": 1.0, "i": 6, "d": "2020-01-02T00:12:12Z"}
    88. 

  88. {"index": {}}
    89. 

  89. {"s": 3, "m": 2.71828, "i": -12, "d": "2019-12-31T00:12:12Z"}
    90. 

  90. POST /test/_search?filter_path=aggregations
    91. 

  91. {
    92. 

  92.   "aggs": {
    93. 

  93.     "tm": {
    94. 

  94.       "top_metrics": {
    95. 

  95.         "metrics": [
    96. 

  96.           {"field": "m"},
    97. 

  97.           {"field": "i"},
    98. 

  98.           {"field": "d"}
    99. 

  99.         ],
    100. 

  100.         "sort": {"s": "desc"}
    101. 

  101.       }
    102. 

  102.     }
    103. 

  103.   }
    104. 

  104. }
    105. 

  105. ----
    106. 

  106. 

  107. Which returns:
    108. 

  108. 

  109. [source,js]
    110. 

  110. ----
    111. 

  111. {
    112. 

  112.   "aggregations": {
    113. 

  113.     "tm": {
    114. 

  114.       "top": [ {
    115. 

  115.         "sort": [3],
    116. 

  116.         "metrics": {
    117. 

  117.           "m": 2.718280076980591,
    118. 

  118.           "i": -12,
    119. 

  119.           "d": "2019-12-31T00:12:12.000Z"
    120. 

  120.         }
    121. 

  121.       } ]
    122. 

  122.     }
    123. 

  123.   }
    124. 

  124. }
    125. 

  125. ----
    126. 

  126. // TESTRESPONSE
    127. 

  127. 

  128. ==== `size`
    129. 

  129. 

  130. `top_metrics` can return the top few document's worth of metrics using the size parameter:
    131. 

  131. 

  132. [source,console,id=search-aggregations-metrics-top-metrics-size]
    133. 

  133. ----
    134. 

  134. POST /test/_bulk?refresh
    135. 

  135. {"index": {}}
    136. 

  136. {"s": 1, "m": 3.1415}
    137. 

  137. {"index": {}}
    138. 

  138. {"s": 2, "m": 1.0}
    139. 

  139. {"index": {}}
    140. 

  140. {"s": 3, "m": 2.71828}
    141. 

  141. POST /test/_search?filter_path=aggregations
    142. 

  142. {
    143. 

  143.   "aggs": {
    144. 

  144.     "tm": {
    145. 

  145.       "top_metrics": {
    146. 

  146.         "metrics": {"field": "m"},
    147. 

  147.         "sort": {"s": "desc"},
    148. 

  148.         "size": 3
    149. 

  149.       }
    150. 

  150.     }
    151. 

  151.   }
    152. 

  152. }
    153. 

  153. ----
    154. 

  154. 

  155. Which returns:
    156. 

  156. 

  157. [source,js]
    158. 

  158. ----
    159. 

  159. {
    160. 

  160.   "aggregations": {
    161. 

  161.     "tm": {
    162. 

  162.       "top": [
    163. 

  163.         {"sort": [3], "metrics": {"m": 2.718280076980591 } },
    164. 

  164.         {"sort": [2], "metrics": {"m": 1.0 } },
    165. 

  165.         {"sort": [1], "metrics": {"m": 3.1414999961853027 } }
    166. 

  166.       ]
    167. 

  167.     }
    168. 

  168.   }
    169. 

  169. }
    170. 

  170. ----
    171. 

  171. // TESTRESPONSE
    172. 

  172. 

  173. The default `size` is 1. The maximum default size is `10` because the aggregation's
    174. 

  174. working storage is "dense", meaning we allocate `size` slots for every bucket. `10`
    175. 

  175. is a *very* conservative default maximum and you can raise it if you need to by
    176. 

  176. changing the `top_metrics_max_size` index setting. But know that large sizes can
    177. 

  177. take a fair bit of memory, especially if they are inside of an aggregation which
    178. 

  178. makes many buckes like a large
    179. 

  179. <<search-aggregations-metrics-top-metrics-example-terms, terms aggregation>>. If
    180. 

  180. you till want to raise it, use something like:
    181. 

  181. 

  182. [source,console]
    183. 

  183. ----
    184. 

  184. PUT /test/_settings
    185. 

  185. {
    186. 

  186.   "top_metrics_max_size": 100
    187. 

  187. }
    188. 

  188. ----
    189. 

  189. // TEST[continued]
    190. 

  190. 

  191. NOTE: If `size` is more than `1` the `top_metrics` aggregation can't be the *target* of a sort.
    192. 

  192. 

  193. ==== Examples
    194. 

  194. 

  195. [[search-aggregations-metrics-top-metrics-example-terms]]
    196. 

  196. ===== Use with terms
    197. 

  197. 

  198. This aggregation should be quite useful inside of <<search-aggregations-bucket-terms-aggregation, `terms`>>
    199. 

  199. aggregation, to, say, find the last value reported by each server.
    200. 

  200. 

  201. [source,console,id=search-aggregations-metrics-top-metrics-terms]
    202. 

  202. ----
    203. 

  203. PUT /node
    204. 

  204. {
    205. 

  205.   "mappings": {
    206. 

  206.     "properties": {
    207. 

  207.       "ip": {"type": "ip"},
    208. 

  208.       "date": {"type": "date"}
    209. 

  209.     }
    210. 

  210.   }
    211. 

  211. }
    212. 

  212. POST /node/_bulk?refresh
    213. 

  213. {"index": {}}
    214. 

  214. {"ip": "192.168.0.1", "date": "2020-01-01T01:01:01", "m": 1}
    215. 

  215. {"index": {}}
    216. 

  216. {"ip": "192.168.0.1", "date": "2020-01-01T02:01:01", "m": 2}
    217. 

  217. {"index": {}}
    218. 

  218. {"ip": "192.168.0.2", "date": "2020-01-01T02:01:01", "m": 3}
    219. 

  219. POST /node/_search?filter_path=aggregations
    220. 

  220. {
    221. 

  221.   "aggs": {
    222. 

  222.     "ip": {
    223. 

  223.       "terms": {
    224. 

  224.         "field": "ip"
    225. 

  225.       },
    226. 

  226.       "aggs": {
    227. 

  227.         "tm": {
    228. 

  228.           "top_metrics": {
    229. 

  229.             "metrics": {"field": "m"},
    230. 

  230.             "sort": {"date": "desc"}
    231. 

  231.           }
    232. 

  232.         }
    233. 

  233.       }
    234. 

  234.     }
    235. 

  235.   }
    236. 

  236. }
    237. 

  237. ----
    238. 

  238. 

  239. Which returns:
    240. 

  240. 

  241. [source,js]
    242. 

  242. ----
    243. 

  243. {
    244. 

  244.   "aggregations": {
    245. 

  245.     "ip": {
    246. 

  246.       "buckets": [
    247. 

  247.         {
    248. 

  248.           "key": "192.168.0.1",
    249. 

  249.           "doc_count": 2,
    250. 

  250.           "tm": {
    251. 

  251.             "top": [ {"sort": ["2020-01-01T02:01:01.000Z"], "metrics": {"m": 2 } } ]
    252. 

  252.           }
    253. 

  253.         },
    254. 

  254.         {
    255. 

  255.           "key": "192.168.0.2",
    256. 

  256.           "doc_count": 1,
    257. 

  257.           "tm": {
    258. 

  258.             "top": [ {"sort": ["2020-01-01T02:01:01.000Z"], "metrics": {"m": 3 } } ]
    259. 

  259.           }
    260. 

  260.         }
    261. 

  261.       ],
    262. 

  262.       "doc_count_error_upper_bound": 0,
    263. 

  263.       "sum_other_doc_count": 0
    264. 

  264.     }
    265. 

  265.   }
    266. 

  266. }
    267. 

  267. ----
    268. 

  268. // TESTRESPONSE
    269. 

  269. 

  270. Unlike `top_hits`, you can sort buckets by the results of this metric:
    271. 

  271. 

  272. [source,console]
    273. 

  273. ----
    274. 

  274. POST /node/_search?filter_path=aggregations
    275. 

  275. {
    276. 

  276.   "aggs": {
    277. 

  277.     "ip": {
    278. 

  278.       "terms": {
    279. 

  279.         "field": "ip",
    280. 

  280.         "order": {"tm.m": "desc"}
    281. 

  281.       },
    282. 

  282.       "aggs": {
    283. 

  283.         "tm": {
    284. 

  284.           "top_metrics": {
    285. 

  285.             "metrics": {"field": "m"},
    286. 

  286.             "sort": {"date": "desc"}
    287. 

  287.           }
    288. 

  288.         }
    289. 

  289.       }
    290. 

  290.     }
    291. 

  291.   }
    292. 

  292. }
    293. 

  293. ----
    294. 

  294. // TEST[continued]
    295. 

  295. 

  296. Which returns:
    297. 

  297. 

  298. [source,js]
    299. 

  299. ----
    300. 

  300. {
    301. 

  301.   "aggregations": {
    302. 

  302.     "ip": {
    303. 

  303.       "buckets": [
    304. 

  304.         {
    305. 

  305.           "key": "192.168.0.2",
    306. 

  306.           "doc_count": 1,
    307. 

  307.           "tm": {
    308. 

  308.             "top": [ {"sort": ["2020-01-01T02:01:01.000Z"], "metrics": {"m": 3 } } ]
    309. 

  309.           }
    310. 

  310.         },
    311. 

  311.         {
    312. 

  312.           "key": "192.168.0.1",
    313. 

  313.           "doc_count": 2,
    314. 

  314.           "tm": {
    315. 

  315.             "top": [ {"sort": ["2020-01-01T02:01:01.000Z"], "metrics": {"m": 2 } } ]
    316. 

  316.           }
    317. 

  317.         }
    318. 

  318.       ],
    319. 

  319.       "doc_count_error_upper_bound": 0,
    320. 

  320.       "sum_other_doc_count": 0
    321. 

  321.     }
    322. 

  322.   }
    323. 

  323. }
    324. 

  324. ----
    325. 

  325. // TESTRESPONSE
    326. 

  326. 

  327. ===== Mixed sort types
    328. 

  328. 

  329. Sorting `top_metrics` by a field that has different types across different
    330. 

  330. indices producs somewhat suprising results: floating point fields are
    331. 

  331. always sorted independantly of whole numbered fields.
    332. 

  332. 

  333. [source,console,id=search-aggregations-metrics-top-metrics-mixed-sort]
    334. 

  334. ----
    335. 

  335. POST /test/_bulk?refresh
    336. 

  336. {"index": {"_index": "test1"}}
    337. 

  337. {"s": 1, "m": 3.1415}
    338. 

  338. {"index": {"_index": "test1"}}
    339. 

  339. {"s": 2, "m": 1}
    340. 

  340. {"index": {"_index": "test2"}}
    341. 

  341. {"s": 3.1, "m": 2.71828}
    342. 

  342. POST /test*/_search?filter_path=aggregations
    343. 

  343. {
    344. 

  344.   "aggs": {
    345. 

  345.     "tm": {
    346. 

  346.       "top_metrics": {
    347. 

  347.         "metrics": {"field": "m"},
    348. 

  348.         "sort": {"s": "asc"}
    349. 

  349.       }
    350. 

  350.     }
    351. 

  351.   }
    352. 

  352. }
    353. 

  353. ----
    354. 

  354. 

  355. Which returns:
    356. 

  356. 

  357. [source,js]
    358. 

  358. ----
    359. 

  359. {
    360. 

  360.   "aggregations": {
    361. 

  361.     "tm": {
    362. 

  362.       "top": [ {"sort": [3.0999999046325684], "metrics": {"m": 2.718280076980591 } } ]
    363. 

  363.     }
    364. 

  364.   }
    365. 

  365. }
    366. 

  366. ----
    367. 

  367. // TESTRESPONSE
    368. 

  368. 

  369. While this is better than an error it *probably* isn't what you were going for.
    370. 

  370. While it does lose some precision, you can explictly cast the whole number
    371. 

  371. fields to floating points with something like:
    372. 

  372. 

  373. [source,console]
    374. 

  374. ----
    375. 

  375. POST /test*/_search?filter_path=aggregations
    376. 

  376. {
    377. 

  377.   "aggs": {
    378. 

  378.     "tm": {
    379. 

  379.       "top_metrics": {
    380. 

  380.         "metrics": {"field": "m"},
    381. 

  381.         "sort": {"s": {"order": "asc", "numeric_type": "double"}}
    382. 

  382.       }
    383. 

  383.     }
    384. 

  384.   }
    385. 

  385. }
    386. 

  386. ----
    387. 

  387. // TEST[continued]
    388. 

  388. 

  389. Which returns the much more expected:
    390. 

  390. 

  391. [source,js]
    392. 

  392. ----
    393. 

  393. {
    394. 

  394.   "aggregations": {
    395. 

  395.     "tm": {
    396. 

  396.       "top": [ {"sort": [1.0], "metrics": {"m": 3.1414999961853027 } } ]
    397. 

  397.     }
    398. 

  398.   }
    399. 

  399. }
    400. 

  400. ----
    401. 

  401. // TESTRESPONSE
    402.