弹性搜索模式匹配未按预期工作
Elastic search pattern match not working as expected
我正在尝试对消息 Cannot allocate memory 进行模式匹配。
我希望它仅在匹配整个消息时才会打印,但它正在打印,即使它只匹配文档中的单词 'Cannot or allocate or memory'。
您能否建议此查询是否需要任何修改?
查询:
GET /_search?pretty
{
"query": {
"bool": {
"must": {
"query_string": {
"query": "Cannot allocate memory"
}
},
"filter": {
"range": {
"timestamp": {
"gt": "now-1h"
}
}
}
}
}
}
结果:
{
"took":186,
"timed_out":false,
"_shards":{
"total":2337,
"successful":2337,
"skipped":2331,
"failed":0
},
"hits":{
"total":10,
"max_score":38.4559,
"hits":[
{
"_index":"MMJ-2020-06-08-18-45",
"_type":"_MMJ",
"_id":"49605400288259767318470290294414874485955515962252853330.0",
"_score":38.4559,
"_source":{
"message":"Cannot allocate memory",
"host":"MMJ",
"processed":"2020-06-08T19:10:22.046111Z",
"stack":"",
"timestamp":"2020-06-08T19:10:21.927881+00:00"
}
},
{
"_index":"MMJ-2020-06-08-18-45",
"_type":"_MMJ",
"_id":"49605400288215165828073229047621636353532845727514886194.0",
"_score":11.734165,
"_source":{
"message":"found character %'%' that cannot start any token",
"host":"MMJ",
"processed":"2020-06-08T19:10:21.938001Z",
"stack":"",
"timestamp":"2020-06-08T19:10:21.926992+00:00"
}
}
]
}
}
使用 default_operator -- 它默认为 OR 但您需要一个 AND:
{
...
"query_string":{
"query":"Cannot allocate memory",
"default_operator":"AND"
}
...
}
我正在尝试对消息 Cannot allocate memory 进行模式匹配。
我希望它仅在匹配整个消息时才会打印,但它正在打印,即使它只匹配文档中的单词 'Cannot or allocate or memory'。
您能否建议此查询是否需要任何修改?
查询:
GET /_search?pretty
{
"query": {
"bool": {
"must": {
"query_string": {
"query": "Cannot allocate memory"
}
},
"filter": {
"range": {
"timestamp": {
"gt": "now-1h"
}
}
}
}
}
}
结果:
{
"took":186,
"timed_out":false,
"_shards":{
"total":2337,
"successful":2337,
"skipped":2331,
"failed":0
},
"hits":{
"total":10,
"max_score":38.4559,
"hits":[
{
"_index":"MMJ-2020-06-08-18-45",
"_type":"_MMJ",
"_id":"49605400288259767318470290294414874485955515962252853330.0",
"_score":38.4559,
"_source":{
"message":"Cannot allocate memory",
"host":"MMJ",
"processed":"2020-06-08T19:10:22.046111Z",
"stack":"",
"timestamp":"2020-06-08T19:10:21.927881+00:00"
}
},
{
"_index":"MMJ-2020-06-08-18-45",
"_type":"_MMJ",
"_id":"49605400288215165828073229047621636353532845727514886194.0",
"_score":11.734165,
"_source":{
"message":"found character %'%' that cannot start any token",
"host":"MMJ",
"processed":"2020-06-08T19:10:21.938001Z",
"stack":"",
"timestamp":"2020-06-08T19:10:21.926992+00:00"
}
}
]
}
}
使用 default_operator -- 它默认为 OR 但您需要一个 AND:
{
...
"query_string":{
"query":"Cannot allocate memory",
"default_operator":"AND"
}
...
}