Elasticsearch 时间范围查询和数据

Elasticsearch time-range query and data

我正在努力为 Elastic Search 制定正确的 API 搜索调用,它将在过去 1 小时内请求我想要的 ipv4address。

第一次尝试:

curl -X GET "localhost:9200/ipaddresses/_search" -H 'Content-Type: application/json' -d'
     {
       "query": {
         "match": {
           "ipv4address": {
             "query": "50.167.71.25"
           }
         }
       },
       "range": {
         "@timestamp": {
           "gte": "now-1h",
           "lt": "now"
         }
       }
     }
     '

{"error":{"root_cause":[{"type":"parsing_exception","reason":"Unknown key for a START_OBJECT in [range].","line":10,"col":12}],"type":"parsing_exception","reason":"Unknown key for a START_OBJECT in [range].","line":10,"col":12},"status":400}

第二次尝试:

curl -X GET "localhost:9200/ipaddresses/_search" -H 'Content-Type: application/json' -d'
{
   "query": {
     "match": {
       "ipv4address": {
         "query": "50.167.71.25"
       }
     }
   },
   "fields": {
    "range": {
     "@timestamp": {
      "gte": "now-1h",
      "lt": "now"
     }
   }
  }
 }
 '

{"error":{"root_cause":[{"type":"parsing_exception","reason":"Unknown key for a START_OBJECT in [fields].","line":10,"col":14}],"type":"parsing_exception","reason":"Unknown key for a START_OBJECT in [fields].","line":10,"col":14},"status":400}

我在 Kibana 中有:

{
  "_index": "ipaddresses",
  "_type": "default",
  "_id": "TJdvR2UB9sEBYW4CrElF",
  "_version": 1,
  "_score": null,
  "_source": {
    "tags": [
      "blocked",
      "ipv4_address",
    ],
    "@version": "1",
    "@timestamp": "2018-08-17T10:30:25.118Z",
    "ipv4_metadata": {
      "host": "elk",
      "name": "blocks",
      "response_message": "OK",
      "code": 200,
      "times_retried": 0,
      "runtime_seconds": 0.066403,
      "response_headers": {
        "connection": "keep-alive",
        "x-frame-options": "sameorigin",
        "last-modified": "Fri, 17 Aug 2018 10:28:06 GMT",
        "keep-alive": "timeout=20",
        "date": "Fri, 17 Aug 2018 10:28:20 GMT",
        "content-type": "text/plain; charset=UTF-8",
        "server": "nginx/1.12.2",
        "transfer-encoding": "chunked",
        "etag": "W/\"5c7c5-5739f03f2997f\"",
        "cache-control": "public"
      }
    },
    "ipv4address": "50.167.71.25",
    "message": "50.167.71.25"
  },
  "fields": {
    "@timestamp": [
      "2018-08-17T10:30:25.118Z"
    ]
  },
  "sort": [
    1534501825118
  ]
}

查询有什么问题? 如果我也想查找等于被阻止的 "tag" 字段怎么办?

请帮我把这些点联系起来。

此查询将 return 过去 1 小时的文档:

{
   "query": {
     "range": {
       "@timestamp": {
         "gte": "now-1h",
         "lt": "now"
       }
     }
   }
 }

此查询将 return 标记被阻止且来自过去 1 小时的文档:

{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "tags": "blocked"
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "now-1h",
              "lte": "now"
            }
          }
        }
      ]
    }
  }
}

您可以使用 _source 限制要 return 编辑的数据。

这个查询只会return ipv4address:

{
  "_source": "ipv4address", 
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "tags": "blocked"
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "now-1h",
              "lte": "now"
            }
          }
        }
      ]
    }
  }
}

如果您想应用更多查询,请查看 this.