弹性搜索中特定字段的过滤查询

filter query on specific field in elastic search

我有这样的文档

  {
    _index: "logstash-2015.11.30",
    _type: "hadoopgeneric",
    _id: "AVFVsF6ypMu_z_qvIUgL",
    _score: null,
    _source: {
             @timestamp: "2015-11-30T00:00:00.017Z",
             message: "selector : 48 - Element found for using multiple selectors using query .js-product-brand.product-brand",
             @version: "1",
             host: "ip-x-x-x-x",
             path: "/logs/stats/container/application_1448508514184_0178/container_e06_1448508514184_0178_01_003568/stderr",
             type: "hadoopgeneric",
             thread_id: "15119",
             thread_name: "MainThread",
             component_name: "Page",
             severity: "DEBUG",
             env: "STG",
             role: "spider",
             ip: "x.x.x.x",
             tags: [
                 "processed"
             ]
            },
   }

我必须过滤那些包含路径 /logs/stats/container/application_1448508514184_0178/container_e06_1448508514184_0178_01_003568/stderr 的文档(在 path 字段中)

我尝试了这个一般搜索查询 http://localhost:9200/logstash-*/_search?pretty=true&q="/logs/stats/container/application_1448508514184_0178/container_e06_1448508514184_0178_01_003568/stderr"&sort=@timestamp&size=100000

它给了我结果,但现在我正在考虑尝试通过像这样触发此查询来仅在 path 字段中进行搜索(我在此查询中没有得到任何结果)-- http://localhost:9200/logstash-*/_search?pretty=true&q="path: /logs/stats/container/application_1448508514184_0178/container_e06_1448508514184_0178_01_003568/stderr"&sort=@timestamp&size=100000

我在弹性搜索上浏览了这篇文档 Term Query。但我不确定如何在弹性搜索中传递 post 参数等查询。我正在使用 python 库向 elastic search

发出 post 请求

以下是我目前尝试过的方法

esurl = http://localhost:9200/logstash-*/_search
r = requests.post(esurl,data={"term":{'path':'/logs/stats/container/application_1448508514184_0178/container_e06_1448508514184_0178_01_003568/stderr'}})
r.text

{"error":"SearchPhaseExecutionException[Failed to execute phase [query], all shards failed; shardFailures {[5D_RNDQPRf6xyLO1suIoCA][logstash-2015.11.30][0]: RemoteTransportException[[ip-x-x-x-x-elkstorage][inet[/x.x.x.x:9300]][indices:data/read/search[phase/query]]]; nested: SearchParseException[[logstash-2015.11.30][0]: from[-1],size[-1]: Parse Failure [Failed to parse source [_na_]]]; nested: ElasticsearchParseException[Failed to derive xcontent]; }{[o8jLb8P5SWOfsCo78eUlHg][logstash-2015.12.01][0]: RemoteTransportException[[ip-x-x-x-x-elkstorage][inet[/x.x.x.x:9300]][indices:data/read/search[phase/query]]]; nested: SearchParseException[[logstash-2015.12.01][0]: from[-1],size[-1]: Parse Failure [Failed to parse source [_na_]]]; nested: ElasticsearchParseException[Failed to derive xcontent];}

q参数好像不对("字符位置不对),试试这个:

http://localhost:9200/logstash-*/_search?pretty=true&q=path:"/logs/stats/container/application_1448508514184_0178/container_e06_1448508514184_0178_01_003568/stderr"&sort=@timestamp&size=100000

另一方面,术语查询是有效的,但它必须在 query 键内,例如:

import requests
import json

esurl = "http://localhost:9200/logstash-*/_search"
r = requests.post(esurl,data=json.dumps({"query": {"term":{'path':'/logs/stats/container/application_1448508514184_0178/container_e06_1448508514184_0178_01_003568/stderr'}}}))
r.text

为 Elasticsearch 的 DSL 正确构建查询是一件痛苦的事情。它很容易弄错。对于大多数用例,我只使用 Head 插件中的 query-builder 或 SQL-to-ES 插件。

两者都提供了一个简单的 UI 来生成查询 - 您可以将结果转换为 json 并在您的代码中使用它。

这需要一些安装工作,但如果您需要制定大量 ES 查询,它确实值得。

head plugin - 不仅仅是构建查询。

sql plugin