Kibana:一个查询中的相同字段连接 "and not" 运算符。 "AND" 和 "AND NOT" 优先级
Kibana: same fields in one query concatenated "and not" operator. "AND" and "AND NOT" precedence
我必须搜索文档,其中文本字段“正文” 包含“SAN 订阅者余额”并排除“在调用 reip-adapter 后未找到”。我在 Kibana 中创建 KQL 请求:
正文:“Balance for subscriber with SAN”而非正文:“在调用 reip-adapter 后未找到”
但是结果包括两个条件,例如:“SAN 用户的余额”和“在调用 reip-adapter 后未找到”。为什么在我的结果中出现 AND“Balance for subscriber with SAN”并且“在调用 reip-adapter 后未找到”?
检查 KQL 请求:
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"filter": [
{
"bool": {
"should": [
{
"match_phrase": {
"Body": "Balance for subscriber with SAN"
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"must_not": {
"bool": {
"should": [
{
"match_phrase": {
"Body": "was not found after invoking reip-adapter"
}
}
],
"minimum_should_match": 1
}
}
}
}
]
}
},
{
"range": {
"Timestamp": {
"format": "strict_date_optional_time",
"gte": "2020-08-29T08:24:55.067Z",
"lte": "2020-08-29T10:24:55.067Z"
}
}
}
],
"should": [],
"must_not": []
}
}
“而不是”条件不起作用,响应:
-----omitted--------
"_source": {
"prospector": {},
"Severity": "INFO",
"uuid": "e71b207a-42a6-4b2c-98d1-b1094c578776",
"Body": "Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter.",
"tags": [
"iptv",
"beats_input_codec_plain_applied"
],
"source": "/applogs/Iptv/app.log",
"host": {
"name": "e38"
},
"offset": 23097554,
"pid": "2473",
"Configuration": "IptvFacadeBean",
"Timestamp": "2020-08-29T10:24:50.040Z",
"@timestamp": "2020-08-29T10:24:50.446Z",
"input": {}
}
-----omitted--------
您为 Body 字段编制索引的索引数据是:
"Body": "Balance for subscriber with SAN=0400043102was not found after
invoking reip-adapter."
数量和was没有差距(0400043102was),所以生成的token是:
POST/_analyze
{
"analyzer" : "standard",
"text" : "Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter."
}
代币是:
{
"tokens": [
{
"token": "balance",
"start_offset": 0,
"end_offset": 7,
"type": "<ALPHANUM>",
"position": 0
},
{
"token": "for",
"start_offset": 8,
"end_offset": 11,
"type": "<ALPHANUM>",
"position": 1
},
{
"token": "subscriber",
"start_offset": 12,
"end_offset": 22,
"type": "<ALPHANUM>",
"position": 2
},
{
"token": "with",
"start_offset": 23,
"end_offset": 27,
"type": "<ALPHANUM>",
"position": 3
},
{
"token": "san",
"start_offset": 28,
"end_offset": 31,
"type": "<ALPHANUM>",
"position": 4
},
{
"token": "0400043102was", <-- note this
"start_offset": 32,
"end_offset": 45,
"type": "<ALPHANUM>",
"position": 5
},
{
"token": "not",
"start_offset": 46,
"end_offset": 49,
"type": "<ALPHANUM>",
"position": 6
},
{
"token": "found",
"start_offset": 50,
"end_offset": 55,
"type": "<ALPHANUM>",
"position": 7
},
{
"token": "after",
"start_offset": 56,
"end_offset": 61,
"type": "<ALPHANUM>",
"position": 8
},
{
"token": "invoking",
"start_offset": 62,
"end_offset": 70,
"type": "<ALPHANUM>",
"position": 9
},
{
"token": "reip",
"start_offset": 71,
"end_offset": 75,
"type": "<ALPHANUM>",
"position": 10
},
{
"token": "adapter",
"start_offset": 76,
"end_offset": 83,
"type": "<ALPHANUM>",
"position": 11
}
]
}
因此,当您尝试这样做 match_phrase 时:
"should": [
{
"match_phrase": {
"Body": "was not found after invoking reip-adapter"
}
}
]
没有生成令牌 was,因此文档匹配并且 must_not 条件无效。
索引数据:
{ "Body":"Balance for subscriber with SAN=0400043102" }
{ "Body":"Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter." }
搜索查询
{
"query": {
"bool": {
"must": {
"match_phrase": {
"Body": "Balance for subscriber with SAN"
}
},
"must_not": {
"match_phrase": {
"Body": "not found after invoking reip-adapter"
}
}
}
}
}
搜索结果:
"hits": [
{
"_index": "my_index",
"_type": "_doc",
"_id": "2",
"_score": 1.055546,
"_source": {
"Body": "Balance for subscriber with SAN=0400043102"
}
}
]
我必须搜索文档,其中文本字段“正文” 包含“SAN 订阅者余额”并排除“在调用 reip-adapter 后未找到”。我在 Kibana 中创建 KQL 请求:
正文:“Balance for subscriber with SAN”而非正文:“在调用 reip-adapter 后未找到”
但是结果包括两个条件,例如:“SAN 用户的余额”和“在调用 reip-adapter 后未找到”。为什么在我的结果中出现 AND“Balance for subscriber with SAN”并且“在调用 reip-adapter 后未找到”?
检查 KQL 请求:
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"filter": [
{
"bool": {
"should": [
{
"match_phrase": {
"Body": "Balance for subscriber with SAN"
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"must_not": {
"bool": {
"should": [
{
"match_phrase": {
"Body": "was not found after invoking reip-adapter"
}
}
],
"minimum_should_match": 1
}
}
}
}
]
}
},
{
"range": {
"Timestamp": {
"format": "strict_date_optional_time",
"gte": "2020-08-29T08:24:55.067Z",
"lte": "2020-08-29T10:24:55.067Z"
}
}
}
],
"should": [],
"must_not": []
}
}
“而不是”条件不起作用,响应:
-----omitted--------
"_source": {
"prospector": {},
"Severity": "INFO",
"uuid": "e71b207a-42a6-4b2c-98d1-b1094c578776",
"Body": "Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter.",
"tags": [
"iptv",
"beats_input_codec_plain_applied"
],
"source": "/applogs/Iptv/app.log",
"host": {
"name": "e38"
},
"offset": 23097554,
"pid": "2473",
"Configuration": "IptvFacadeBean",
"Timestamp": "2020-08-29T10:24:50.040Z",
"@timestamp": "2020-08-29T10:24:50.446Z",
"input": {}
}
-----omitted--------
您为 Body 字段编制索引的索引数据是:
"Body": "Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter."
数量和was没有差距(0400043102was),所以生成的token是:
POST/_analyze
{
"analyzer" : "standard",
"text" : "Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter."
}
代币是:
{
"tokens": [
{
"token": "balance",
"start_offset": 0,
"end_offset": 7,
"type": "<ALPHANUM>",
"position": 0
},
{
"token": "for",
"start_offset": 8,
"end_offset": 11,
"type": "<ALPHANUM>",
"position": 1
},
{
"token": "subscriber",
"start_offset": 12,
"end_offset": 22,
"type": "<ALPHANUM>",
"position": 2
},
{
"token": "with",
"start_offset": 23,
"end_offset": 27,
"type": "<ALPHANUM>",
"position": 3
},
{
"token": "san",
"start_offset": 28,
"end_offset": 31,
"type": "<ALPHANUM>",
"position": 4
},
{
"token": "0400043102was", <-- note this
"start_offset": 32,
"end_offset": 45,
"type": "<ALPHANUM>",
"position": 5
},
{
"token": "not",
"start_offset": 46,
"end_offset": 49,
"type": "<ALPHANUM>",
"position": 6
},
{
"token": "found",
"start_offset": 50,
"end_offset": 55,
"type": "<ALPHANUM>",
"position": 7
},
{
"token": "after",
"start_offset": 56,
"end_offset": 61,
"type": "<ALPHANUM>",
"position": 8
},
{
"token": "invoking",
"start_offset": 62,
"end_offset": 70,
"type": "<ALPHANUM>",
"position": 9
},
{
"token": "reip",
"start_offset": 71,
"end_offset": 75,
"type": "<ALPHANUM>",
"position": 10
},
{
"token": "adapter",
"start_offset": 76,
"end_offset": 83,
"type": "<ALPHANUM>",
"position": 11
}
]
}
因此,当您尝试这样做 match_phrase 时:
"should": [
{
"match_phrase": {
"Body": "was not found after invoking reip-adapter"
}
}
]
没有生成令牌 was,因此文档匹配并且 must_not 条件无效。
索引数据:
{ "Body":"Balance for subscriber with SAN=0400043102" }
{ "Body":"Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter." }
搜索查询
{
"query": {
"bool": {
"must": {
"match_phrase": {
"Body": "Balance for subscriber with SAN"
}
},
"must_not": {
"match_phrase": {
"Body": "not found after invoking reip-adapter"
}
}
}
}
}
搜索结果:
"hits": [
{
"_index": "my_index",
"_type": "_doc",
"_id": "2",
"_score": 1.055546,
"_source": {
"Body": "Balance for subscriber with SAN=0400043102"
}
}
]