范围的 Elasticsearch Watcher 错误
Elasticearch Watcher error for range
PUT _xpack/watcher/watch/log_error_watch
{
"trigger": {
"schedule": {
"interval": "10s"
}
},
"input": {
"search": {
"request": {
"indices": [
"filebeat-2017.01.02"
],
"body": {
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"query": {
"range": {
"offset": {
"gte": 1000,
"lte": 2000
}
},
"match": {
"source": "/var/log/apache2/access.log"
}
},
"size": 5
}
}
}
}
}
[o.e.m.j.JvmGcMonitorService] [hj-test156] [gc][11042] 开销,在最后 [1s] 中花费了 [701ms] 收集
[2017-01-02T15:32:04,311][错误][o.e.x.w.i.s.ExecutableSimpleInput] [hj-test156] 无法执行手表 [log_error_watch] 的 [搜索] 输入,原因 [[范围] 格式错误的查询,预计 [END_OBJECT] 但发现 [FIELD_NAME]]
你的查询格式不正确,你需要这样写
...
"query": {
"bool": {
"must": [
{
"range": {
"offset": {
"gte": 1000,
"lte": 2000
}
}
},
{
"match": {
"source": "/var/log/apache2/access.log"
}
}
]
}
}
},
...
更新
对于带有日期字段的 range,您可以这样做:
{
"range": {
"@timestamp": {
"gte": "2017-01-02T05:23:34.731Z",
"lte": "2017-01-03T05:23:34.731Z"
}
}
},
PUT _xpack/watcher/watch/log_error_watch
{
"trigger": {
"schedule": {
"interval": "10s"
}
},
"input": {
"search": {
"request": {
"indices": [
"filebeat-2017.01.02"
],
"body": {
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"query": {
"range": {
"offset": {
"gte": 1000,
"lte": 2000
}
},
"match": {
"source": "/var/log/apache2/access.log"
}
},
"size": 5
}
}
}
}
}
[o.e.m.j.JvmGcMonitorService] [hj-test156] [gc][11042] 开销,在最后 [1s] 中花费了 [701ms] 收集 [2017-01-02T15:32:04,311][错误][o.e.x.w.i.s.ExecutableSimpleInput] [hj-test156] 无法执行手表 [log_error_watch] 的 [搜索] 输入,原因 [[范围] 格式错误的查询,预计 [END_OBJECT] 但发现 [FIELD_NAME]]
你的查询格式不正确,你需要这样写
...
"query": {
"bool": {
"must": [
{
"range": {
"offset": {
"gte": 1000,
"lte": 2000
}
}
},
{
"match": {
"source": "/var/log/apache2/access.log"
}
}
]
}
}
},
...
更新
对于带有日期字段的 range,您可以这样做:
{
"range": {
"@timestamp": {
"gte": "2017-01-02T05:23:34.731Z",
"lte": "2017-01-03T05:23:34.731Z"
}
}
},