kibana 查询,会对查询时间段,做聚合操作,最近15min,则会聚合每30秒的文档数:
当查询时间范围内的文档数特别大时,将非常耗时,有时会报错:
查询Request Payload:
{"index":"www_log-*","ignore_unavailable":true}
{"size":500,"sort":[{"@timestamp":{"order":"desc","unmapped_type":"boolean"}}],"query":{"filtered":{"query":{"query_string":{"analyze_wildcard":true,"query":"*"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"gte":1449469826877,"lte":1449470726877}}}],"must_not":[]}}}},"highlight":{"pre_tags":["@kibana-highlighted-field@"],"post_tags":["@/kibana-highlighted-field@"],"fields":{"*":{}},"fragment_size":2147483647},"aggs":{"2":{"date_histogram":{"field":"@timestamp","interval":"30s","pre_zone":"+08:00","pre_zone_adjust_large_interval":true,"min_doc_count":0,"extended_bounds":{"min":1449469826876,"max":1449470726876}}}},"fields":["*","_source"],"script_fields":{},"fielddata_fields":[“@timestamp”]}
如果没有时间格式字段:
{"index":"www_log-*","ignore_unavailable":true}
{"size":500,"sort":[{"_score":{"order":"desc","unmapped_type":"boolean"}}],"query":{"query_string":{"analyze_wildcard":true,"query":"*"}},"highlight":{"pre_tags":["@kibana-highlighted-field@"],"post_tags":["@/kibana-highlighted-field@"],"fields":{"*":{}},"fragment_size":2147483647},"fields":["*","_source"],"script_fields":{},"fielddata_fields":[]}
对索引www_log-*,2015-12-07 14:30:00 至 2015-12-07 14:35:00的5min数据,做聚合操作:
http://10.1.***:9200/www_log-*/logs/
{
"query": {
"filtered": {
"filter": {
"range": {
"request": {
"gte": 1449469826877,
"lte": 1449470126877
}
}
}
}
},
"aggs": {
"request": {
"date_histogram": {
"field": "request",
"interval": "30s",
"pre_zone": "+08:00",
"min_doc_count": 0
}
}
}
}
耗时199秒。
查询aguid=1447075650199_3724624的数据,并且对2015-12-07 14:30:00 至 2015-12-07 14:45:00的15min数据,做聚合操作,耗时224秒,虽然聚合结果为0。
{
"query": {
"filtered": {
"query": {
"query_string": {
"analyze_wildcard": true,
"query": "aguid:\"1447075650199_3724624\""
}
},
"filter": {
"range": {
"request": {
"gte": 1441469826877,
"lte": 1449470726877
}
}
}
}
},
"aggs": {
"request": {
"date_histogram": {
"field": "request",
"interval": "30s",
"pre_zone": "+08:00",
"min_doc_count": 0,
"extended_bounds": {
"min": 1449469826876,
"max": 1449470726876
}
}
}
}
去掉聚合操作,耗时14秒。
Kibana在进行查询时,对于大范围时间的聚合操作会导致显著的性能下降,例如对最近15分钟以30秒粒度聚合文档数。当文档数量庞大时,查询可能会耗时甚至报错。示例查询显示,5分钟的数据聚合耗时199秒,而15分钟的数据聚合耗时224秒,即使结果为0。若去除聚合操作,时间降至14秒,表明聚合是性能瓶颈。
4001

被折叠的 条评论
为什么被折叠?



