Question

我在弹性搜索中有这种格式的记录：

 {
      "_index" : "feb14",
      "_type" : "apache_access",
      "_id" : "1EONaxeVR1-drG0EeQv2QA",
      "_score" : 1.0,
      "_source":{"message":"8.8.8.8 - kurt [18/May/2011:01:48:10 -0700] \"GET /admin HTTP/1.1\" 301 566 \"-\" \"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3\"","@version":"1","@timestamp":"2011-05-18T08:48:10.000Z","host":"amith-Dell-System-XPS-L502X","path":"/home/amith/Desktop/logstash-1.4.2/accesslog3","type":"apache_access","clientip":"8.8.8.8","ident":"-","auth":"kurt","timestamp":"18/May/2011:01:48:10 -0700","verb":"GET","request":"/admin","httpversion":"1.1","response":"301","bytes":"566","referrer":"\"-\"","agent":"\"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3\""}
    }

我需要根据记录的“_source”部分中的字段过滤记录。任何人都可以告诉我该怎么做？

我已经在弹性搜索中查看了搜索API和脚本。但是我无法将它们组合起来以获得结果。

Answer 1

您可以使用http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html

例如：你可以搜索＆＃34; Mozilla＆＃34;或者＆＃34; kurt＆＃34;在＆＃34;消息＆＃34;或＆＃34; auth＆＃34;领域：

"query": {
    "query_string": {
        "fields": ["message", "auth"],
        "default_operator": "OR", // or AND
        "query": "Mozilla kurt"
    }
}

Answer 2

如果我正确地读取您的JSON结构“response”：“301”字段是_source字段内的嵌套字段。您可以使用_source中的任何嵌套字段进行查询，方法是将_source映射为嵌套对象。

> > {
>     "nested" : {
>         "path" : "obj1",
>         "query" : {
>             "bool" : {
>                 "must" : [
>                     {
>                         "match" : {"_source.response" : "301"}
>                     }
>                 ]
>             }
>         }
>     } }

查看映射嵌套对象和嵌套查询：

http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-nested-query.html

将_source映射为嵌套对象： http://www.elasticsearch.org/guide/en/elasticsearch/guide/current/nested-mapping.html

根据“_source”字段中的键在ElasticSearch中搜索记录

2 个答案: