首先，我们现在kiban上面绘制自己需要统计出来的数据

然后点击右上角inspect，将request的json格式复制

粘贴到Dev Tools上面，这样会将我们需要的数据，已json的形式返回

将请求的json格式保存下来，开始写py文件

from elasticsearch import Elasticsearch
import datetime

#初始化链接
es = Elasticsearch([{'host':'10.3.2.1','port':9200}])
#获取当前时间和7天前的UTC格式时间戳
last_7day=datetime.datetime.utcnow()-datetime.timedelta(days=6, hours=16)
now_time=datetime.datetime.utcnow()+datetime.timedelta(hours=8)
last_7day=last_7day.strftime('%Y-%m-%dT%H:%M:%S.%f%z')
now_time=now_time.strftime('%Y-%m-%dT%H:%M:%S.%f%z')

#定义DSL请求体
query_json={
    "aggs": {
        "2": {
            "terms": {
                "field": "message.keyword",
                "size": 30,
                "order": {
                    "_count": "desc"
                }
            }
        }
    },
    "size": 0,
    "_source": {
        "excludes": []
    },
    "stored_fields": [
        "*"
    ],
    "script_fields": {},
    "docvalue_fields": [
        {
            "field": "@timestamp",
            "format": "date_time"
        },
        {
            "field": "timestamp",
            "format": "date_time"
        }
    ],
    "query": {
        "bool": {
            "must": [
                {
                    "query_string": {
                        "query": "level:error",
                        "analyze_wildcard": "true",
                        "default_field": "*"
                    }
                },
                {
                    "range": {
                        "@timestamp": {
                            "gte": last_7day,
                            "lte": now_time,
                        }
                    }
                }
            ],
            "filter": [],
            "should": [],
            "must_not": []
        }
    }
}
res=es.search(index='index-*', body=query_json)
res=res['aggregations']['2']['buckets']
for i in res:
    print(i)