elasticsearch - 获取由唯一 ID 分隔的两个日志条目之间的时间差的无痛脚本

Question

我正在尝试获取两个日志条目之间的时间差，例如 RequestExecuted 和 RequestReceived ，其文件名为 MessageIdentifier。这些值由名为 TransactionId 的唯一 ID 链接。下面是我执行逻辑的代码。

int timetaken=0;      
int start=0;      
String TransactionId;      
int end=0;   

for(int i = 0; i < 10; ++i){        
    if (doc['dissect.MessageIdentifier'].value[i]=='RequestReceived') {          
        start=params._source.dissect.timestamp[i];          
        TransactionId=params._source.dissect.TransactionId[i];
     }        
    if( doc['dissect.MessageIdentifier'].value[i] =='RequestExecuted' 
        && params._source.dissect.TransactionId == TransactionId) {          
            end=params._source.dissect.timestamp[i];          
            timetaken = end - start; 
            return timetaken;
    }
}

当我编译我的无痛脚本时，它给了我一个错误：

lang": "painless",
    "caused_by": {
     "type": "illegal_argument_exception",
     "reason": "Attempting to address a non-array-like type [java.lang.String] as an array."

这是索引片段：

您的帮助将非常感激。

Answer 1

假设您的dissect字段是嵌套对象的数组，您可以执行以下操作：

创建索引

PUT dissect
{
  "mappings": {
    "properties": {
       "dissect" : {
         "type": "nested", 
          "properties" : {
            "MessageIdentifier" : {
              "type" : "text",
              "fielddata": true,
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            },
            "TransationId" : {
              "type" : "text",
              "fielddata": true,
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            },
            "timestamp" : {
              "type" : "date"
            }
          }
        }
    }
  }
}

同步样本

POST dissect/_doc
{
  "dissect": [
    {
      "MessageIdentifier": "abc",
      "timestamp": 200,
      "TransationId": "xyz"
    },
    {
      "MessageIdentifier": "RequestReceived",
      "timestamp": 300,
      "TransationId": "xyz"
    },
    {
      "MessageIdentifier": "RequestExecuted",
      "timestamp": 400,
      "TransationId": "xyz"
    }
  ]
}

运行您的脚本字段

GET dissect/_search
{
  "script_fields": {
    "timetaken": {
      "script": {
        "source": """
        int timetaken = 0;      
        int start = 0;      
        String TransactionId;      
        int end = 0;   

        for (def dissect_item : params._source['dissect']) {
          if (dissect_item['MessageIdentifier'] == 'RequestReceived') {          
                start = dissect_item['timestamp'];          
                TransactionId = dissect_item['TransactionId'];
            }

            if( dissect_item['MessageIdentifier'] =='RequestExecuted' 
                && dissect_item['TransactionId'] == TransactionId) {          
                    end = dissect_item['timestamp'];          
                    timetaken = end - start; 
                    return timetaken;
            }
        }
        """
      }
    }
  }
}

屈服

[
  {
    "_index":"dissect",
    "_type":"_doc",
    "_id":"_v7u43EBW-D5QnrWmjtM",
    "_score":1.0,
    "fields":{
      "timetaken":[
        100              <-----
      ]
    }
  }
]

---

关键要点：您不想迭代硬编码长度为 10，而是迭代为for (def dissect_item : params._source['dissect'])