如何配置elasticsearch正则表达式查询

Question

我尝试配置 elasticsearch 请求。我使用 DSL 并尝试在 "message" 字段中找到一些带有单词 "swagger" 的数据。

这是我想展示的正确答案之一：

  {
                "_index": "apiconnect508",
                "_type": "audit",
                "_id": "AWF1us1T4ztincEzswAr",
                "_score": 1,
                "_source": {
                    "consumerOrgId": null,
                    "headers": {
                        "http_accept": "application/json",
                        "content_type": "application/json",
                        "request_path": "/apim-5a7c34e0e4b02e66c60edbb2-2018.02/auditevent",
                        "http_version": "HTTP/1.1",
                        "http_connection": "keep-alive",
                        "request_method": "POST",
                        "http_host": "localhost:9700",
                        "request_uri": "/apim-5a7c34e0e4b02e66c60edbb2-2018.02/auditevent",
                        "content_length": "533",
                        "http_user_agent": "Wink Client v1.1.1"
                    },
                    "nlsMessage": {
                        "resource": "messages",
                        "replacements": [
                            "test",
                            "1.0.0",
                            "ext_mafashagov@rencredit.ru"
                        ],
                        "key": "swagger.import.notification"
                    },
                    "notificationType": "EVENT",
                    "eventType": "AUDIT",
                    "source": null,
                    "envId": null,
                    "message": "API test version 1.0.0 was created from a Swagger document by ext_mafashagov@rencredit.ru.",
                    "userId": "ext_mafashagov@rencredit.ru",
                    "orgId": "5a7c34e0e4b02e66c60edbb2",
                    "assetType": "api",
                    "tags": [
                        "_geoip_lookup_failure"
                    ],
                    "gateway_geoip": {},
                    "datetime": "2018-02-08T14:04:32.731Z",
                    "@timestamp": "2018-02-08T14:04:32.747Z",
                    "assetId": "5a7c58f0e4b02e66c60edc53",
                    "@version": "1",
                    "host": "127.0.0.1",
                    "id": "5a7c58f0e4b02e66c60edc55",
                    "client_geoip": {}
                }
            }

我尝试通过以下方式找到 JSON：

POST myAddress/_search

下一个查询在没有 "regexp" 字段的情况下有效。我应该如何配置查询的正则表达式部分？

{
  "query": {
    "filtered": {
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
               "@timestamp" : {"gte" : "now-100d"}

              }
            },
            {
              "term": {
                "_type": "audit"
              }
            },
            {
                "regexp" : {
                    "message": "*wagger*"
                }
            }

          ]
        }
      }
    }

  },
  "sort": {
    "TraceDateTime": {
      "order": "desc",
      "ignore_unmapped": "true"
    }
  }
}

Answer 1

如果分析消息字段，这个简单的匹配查询应该可以工作：

"match":{
    "message":"*swagger*"
}

但是，如果不分析，这两个查询应该也适用于您：这两个查询区分大小写，因此如果您希望不对它进行分析，您应该考虑小写您的字段。

"wildcard":{
    "message":"*swagger*"
}

或

"regexp":{
    "message":"swagger"
}

小心通配符和正则表达式查询会降低性能。

如何配置elasticsearch正则表达式查询

How to configure elasticsearch regexp query

dsl

querydsl

elasticsearch