Página Principal Explorar Ajuda
Registe-se Iniciar Sessão
lqb
/
elasticsearch
mirror de https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Ficheiros Problemas 0 Wiki
Árvore: d95d885bae
Ramos Etiquetas
elasticsearch
/
docs
/
reference
/
rollup
/
understanding-groups.asciidoc

understanding-groups.asciidoc 6.1 KB
Histórico Em bruto

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201 
  1. [role="xpack"]
    2. 

  2. [testenv="basic"]
    3. 

  3. [[rollup-understanding-groups]]
    4. 

  4. == Understanding Groups
    5. 

  5. 

  6. experimental[]
    7. 

  7. 

  8. To preserve flexibility, Rollup Jobs are defined based on how future queries may need to use the data.  Traditionally, systems force
    9. 

  9. the admin to make decisions about what metrics to rollup and on what interval.  E.g. The average of `cpu_time` on an hourly basis.  This
    10. 

  10. is limiting; if, at a future date, the admin wishes to see the average of `cpu_time` on an hourly basis _and partitioned by `host_name`_,
    11. 

  11. they are out of luck.
    12. 

  12. 

  13. Of course, the admin can decide to rollup the `[hour, host]` tuple on an hourly basis, but as the number of grouping keys grows, so do the
    14. 

  14. number of tuples the admin needs to configure.  Furthermore, these `[hours, host]` tuples are only useful for hourly rollups... daily, weekly,
    15. 

  15. or monthly rollups all require new configurations.
    16. 

  16. 

  17. Rather than force the admin to decide ahead of time which individual tuples should be rolled up, Elasticsearch's Rollup jobs are configured
    18. 

  18. based on which groups are potentially useful to future queries.  For example, this configuration:
    19. 

  19. 

  20. [source,js]
    21. 

  21. --------------------------------------------------
    22. 

  22. "groups" : {
    23. 

  23.   "date_histogram": {
    24. 

  24.     "field": "timestamp",
    25. 

  25.     "interval": "1h",
    26. 

  26.     "delay": "7d"
    27. 

  27.   },
    28. 

  28.   "terms": {
    29. 

  29.     "fields": ["hostname", "datacenter"]
    30. 

  30.   },
    31. 

  31.   "histogram": {
    32. 

  32.     "fields": ["load", "net_in", "net_out"],
    33. 

  33.     "interval": 5
    34. 

  34.   }
    35. 

  35. }
    36. 

  36. --------------------------------------------------
    37. 

  37. // NOTCONSOLE
    38. 

  38. 

  39. Allows `date_histogram`'s to be used on the `"timestamp"` field, `terms` aggregations to be used on the `"hostname"` and `"datacenter"`
    40. 

  40. fields, and `histograms` to be used on any of `"load"`, `"net_in"`, `"net_out"` fields.
    41. 

  41. 

  42. Importantly, these aggs/fields can be used in any combination.  This aggregation:
    43. 

  43. 

  44. [source,js]
    45. 

  45. --------------------------------------------------
    46. 

  46. "aggs" : {
    47. 

  47.   "hourly": {
    48. 

  48.     "date_histogram": {
    49. 

  49.       "field": "timestamp",
    50. 

  50.       "interval": "1h"
    51. 

  51.     },
    52. 

  52.     "aggs": {
    53. 

  53.       "host_names": {
    54. 

  54.         "terms": {
    55. 

  55.           "field": "hostname"
    56. 

  56.         }
    57. 

  57.       }
    58. 

  58.     }
    59. 

  59.   }
    60. 

  60. }
    61. 

  61. --------------------------------------------------
    62. 

  62. // NOTCONSOLE
    63. 

  63. 

  64. is just as valid as this aggregation:
    65. 

  65. 

  66. [source,js]
    67. 

  67. --------------------------------------------------
    68. 

  68. "aggs" : {
    69. 

  69.   "hourly": {
    70. 

  70.     "date_histogram": {
    71. 

  71.       "field": "timestamp",
    72. 

  72.       "interval": "1h"
    73. 

  73.     },
    74. 

  74.     "aggs": {
    75. 

  75.       "data_center": {
    76. 

  76.         "terms": {
    77. 

  77.           "field": "datacenter"
    78. 

  78.         }
    79. 

  79.       },
    80. 

  80.       "aggs": {
    81. 

  81.         "host_names": {
    82. 

  82.           "terms": {
    83. 

  83.             "field": "hostname"
    84. 

  84.           }
    85. 

  85.         },
    86. 

  86.         "aggs": {
    87. 

  87.           "load_values": {
    88. 

  88.             "histogram": {
    89. 

  89.               "field": "load",
    90. 

  90.               "interval": 5
    91. 

  91.             }
    92. 

  92.           }
    93. 

  93.         }
    94. 

  94.       }
    95. 

  95.     }
    96. 

  96.   }
    97. 

  97. }
    98. 

  98. --------------------------------------------------
    99. 

  99. // NOTCONSOLE
    100. 

  100. 

  101. 

  102. You'll notice that the second aggregation is not only substantially larger, it also swapped the position of the terms aggregation on
    103. 

  103. `"hostname"`, illustrating how the order of aggregations does not matter to rollups.  Similarly, while the `date_histogram` is required
    104. 

  104. for rolling up data, it isn't required while querying (although often used).  For example, this is a valid aggregation for
    105. 

  105. Rollup Search to execute:
    106. 

  106. 

  107. 

  108. [source,js]
    109. 

  109. --------------------------------------------------
    110. 

  110. "aggs" : {
    111. 

  111.   "host_names": {
    112. 

  112.     "terms": {
    113. 

  113.       "field": "hostname"
    114. 

  114.     }
    115. 

  115.   }
    116. 

  116. }
    117. 

  117. --------------------------------------------------
    118. 

  118. // NOTCONSOLE
    119. 

  119. 

  120. Ultimately, when configuring `groups` for a job, think in terms of how you might wish to partition data in a query at a future date...
    121. 

  121. then include those in the config.  Because Rollup Search allows any order or combination of the grouped fields, you just need to decide
    122. 

  122. if a field is useful for aggregating later, and how you might wish to use it (terms, histogram, etc)
    123. 

  123. 

  124. === Grouping Limitations with heterogeneous indices
    125. 

  125. 

  126. There was previously a limitation in how Rollup could handle indices that had heterogeneous mappings (multiple, unrelated/non-overlapping
    127. 

  127. mappings).  The recommendation at the time was to configure a separate job per data "type".  For example, you might configure a separate
    128. 

  128. job for each Beats module that you had enabled (one for `process`, another for `filesystem`, etc).
    129. 

  129. 

  130. This recommendation was driven by internal implementation details that caused document counts to be potentially incorrect if a single "merged"
    131. 

  131. job was used.
    132. 

  132. 

  133. This limitation has since been alleviated.  As of 6.4.0, it is now considered best practice to combine all rollup configurations
    134. 

  134. into a single job.
    135. 

  135. 

  136. As an example, if your index has two types of documents:
    137. 

  137. 

  138. [source,js]
    139. 

  139. --------------------------------------------------
    140. 

  140. {
    141. 

  141.   "timestamp": 1516729294000,
    142. 

  142.   "temperature": 200,
    143. 

  143.   "voltage": 5.2,
    144. 

  144.   "node": "a"
    145. 

  145. }
    146. 

  146. --------------------------------------------------
    147. 

  147. // NOTCONSOLE
    148. 

  148. 

  149. and
    150. 

  150. 

  151. [source,js]
    152. 

  152. --------------------------------------------------
    153. 

  153. {
    154. 

  154.   "timestamp": 1516729294000,
    155. 

  155.   "price": 123,
    156. 

  156.   "title": "Foo"
    157. 

  157. }
    158. 

  158. --------------------------------------------------
    159. 

  159. // NOTCONSOLE
    160. 

  160. 

  161. the best practice is to combine them into a single rollup job which covers both of these document types, like this:
    162. 

  162. 

  163. [source,js]
    164. 

  164. --------------------------------------------------
    165. 

  165. PUT _xpack/rollup/job/combined
    166. 

  166. {
    167. 

  167.     "index_pattern": "data-*",
    168. 

  168.     "rollup_index": "data_rollup",
    169. 

  169.     "cron": "*/30 * * * * ?",
    170. 

  170.     "page_size" :1000,
    171. 

  171.     "groups" : {
    172. 

  172.       "date_histogram": {
    173. 

  173.         "field": "timestamp",
    174. 

  174.         "interval": "1h",
    175. 

  175.         "delay": "7d"
    176. 

  176.       },
    177. 

  177.       "terms": {
    178. 

  178.         "fields": ["node", "title"]
    179. 

  179.       }
    180. 

  180.     },
    181. 

  181.     "metrics": [
    182. 

  182.         {
    183. 

  183.             "field": "temperature",
    184. 

  184.             "metrics": ["min", "max", "sum"]
    185. 

  185.         },
    186. 

  186.         {
    187. 

  187.             "field": "price",
    188. 

  188.             "metrics": ["avg"]
    189. 

  189.         }
    190. 

  190.     ]
    191. 

  191. }
    192. 

  192. --------------------------------------------------
    193. 

  193. // NOTCONSOLE
    194. 

  194. 

  195. === Doc counts and overlapping jobs
    196. 

  196. 

  197. There was previously an issue with document counts on "overlapping" job configurations, driven by the same internal implementation detail.
    198. 

  198. If there were  two Rollup jobs saving to the same index, where one job is a "subset" of another job, it was possible that document counts
    199. 

  199. could be incorrect for certain aggregation arrangements.
    200. 

  200. 

  201. This issue has also since been eliminated in 6.4.0.
    202.