elasticsearch 日期范围准确性
elasticsearch date range accuracy
TL;DR: 在具有 lte 条件的日期上使用范围过滤器永远不会 returns 该日期的记录。
在以下代码段中,关注 @timestamp 字段。
查询:
POST logstash-*/logs/_search
{
"filter": {
"range": {
"@timestamp": {
"gte": null,
"lte": "2015-08-31T15:00:07.397Z",
"format" : "date_time"
}
}
},
"size": 20,
"from": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"fields": [
"*",
"@timestamp"
]
}
查询结果:
{
"took": 2,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 586,
"max_score": null,
"hits": [
{
"_index": "logstash-2015.08.31",
"_type": "logs",
"_id": "AU-ERb3Ndl1LVbEg-Dnb",
"_score": null,
"fields": {
"@timestamp": [
"2015-08-31T15:00:06.455Z"
]
},
"sort": [
1441033206455
]
}, (more hits...)
下一步:
我从第一个结果 ("2015-08-31T15:00:06.455Z") 中取出 @timestamp 值,并将其放在同一个查询中,在 lte 键下。
扩充查询:
POST logstash-*/logs/_search
{
"filter": {
"range": {
"@timestamp": {
"gte": null,
"lte": "2015-08-31T15:00:06.455Z",
"format" : "date_time"
}
}
},
"size": 20,
"from": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"fields": [
"*",
"@timestamp"
]
}
扩充查询结果:
{
"took": 6,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 585,
"max_score": null,
"hits": [
{
"_index": "logstash-2015.08.31",
"_type": "logs",
"_id": "AU-ERbH6dl1LVbEg-Dna",
"_score": null,
"fields": {
"@timestamp": [
"2015-08-31T15:00:03.871Z"
]
},
"sort": [
1441033203871
]
}, (more hits...)
如上图所示,结果列表中没有出现我查询日期的记录。命中数减少了1,第一个结果是更早的时间,而不是我查询的确切时间。
正在使用索引模板:
PUT _template/my_template
{
"template" : "logstash-*",
"mappings" : {
"logs" : {
"_source" : {"enabled" : "true"},
"properties" : {
"@timestamp" : { "type" : "date", "format" : "date_time" },
# more fields here
}
}
}
}
我正在使用 elasticsearch 1.7.1。
谢谢!
您已在搜索请求中将 "from" 的值设置为 1。这意味着忽略第一个结果并显示其余结果。因此,您会发现缺少第一个结果。如果将 "from" 设置为 0 或将其完全删除,您将获得所需的结果。
TL;DR: 在具有 lte 条件的日期上使用范围过滤器永远不会 returns 该日期的记录。
在以下代码段中,关注 @timestamp 字段。
查询:
POST logstash-*/logs/_search
{
"filter": {
"range": {
"@timestamp": {
"gte": null,
"lte": "2015-08-31T15:00:07.397Z",
"format" : "date_time"
}
}
},
"size": 20,
"from": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"fields": [
"*",
"@timestamp"
]
}
查询结果:
{
"took": 2,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 586,
"max_score": null,
"hits": [
{
"_index": "logstash-2015.08.31",
"_type": "logs",
"_id": "AU-ERb3Ndl1LVbEg-Dnb",
"_score": null,
"fields": {
"@timestamp": [
"2015-08-31T15:00:06.455Z"
]
},
"sort": [
1441033206455
]
}, (more hits...)
下一步:
我从第一个结果 ("2015-08-31T15:00:06.455Z") 中取出 @timestamp 值,并将其放在同一个查询中,在 lte 键下。
扩充查询:
POST logstash-*/logs/_search
{
"filter": {
"range": {
"@timestamp": {
"gte": null,
"lte": "2015-08-31T15:00:06.455Z",
"format" : "date_time"
}
}
},
"size": 20,
"from": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"fields": [
"*",
"@timestamp"
]
}
扩充查询结果:
{
"took": 6,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 585,
"max_score": null,
"hits": [
{
"_index": "logstash-2015.08.31",
"_type": "logs",
"_id": "AU-ERbH6dl1LVbEg-Dna",
"_score": null,
"fields": {
"@timestamp": [
"2015-08-31T15:00:03.871Z"
]
},
"sort": [
1441033203871
]
}, (more hits...)
如上图所示,结果列表中没有出现我查询日期的记录。命中数减少了1,第一个结果是更早的时间,而不是我查询的确切时间。
正在使用索引模板:
PUT _template/my_template
{
"template" : "logstash-*",
"mappings" : {
"logs" : {
"_source" : {"enabled" : "true"},
"properties" : {
"@timestamp" : { "type" : "date", "format" : "date_time" },
# more fields here
}
}
}
}
我正在使用 elasticsearch 1.7.1。
谢谢!
您已在搜索请求中将 "from" 的值设置为 1。这意味着忽略第一个结果并显示其余结果。因此,您会发现缺少第一个结果。如果将 "from" 设置为 0 或将其完全删除,您将获得所需的结果。