TL; DR:在lte条件的日期使用范围过滤器永远不会返回该日期的记录。
在以下代码段中,请关注@timestamp字段。
查询:
POST logstash-*/logs/_search
{
"filter": {
"range": {
"@timestamp": {
"gte": null,
"lte": "2015-08-31T15:00:07.397Z",
"format" : "date_time"
}
}
},
"size": 20,
"from": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"fields": [
"*",
"@timestamp"
]
}
查询结果:
{
"took": 2,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 586,
"max_score": null,
"hits": [
{
"_index": "logstash-2015.08.31",
"_type": "logs",
"_id": "AU-ERb3Ndl1LVbEg-Dnb",
"_score": null,
"fields": {
"@timestamp": [
"2015-08-31T15:00:06.455Z"
]
},
"sort": [
1441033206455
]
}, (more hits...)
下一步:
我从第一个结果@timestamp)中获取"2015-08-31T15:00:06.455Z"值,并将其放在lte键下的同一查询中。
增强查询
POST logstash-*/logs/_search
{
"filter": {
"range": {
"@timestamp": {
"gte": null,
"lte": "2015-08-31T15:00:06.455Z",
"format" : "date_time"
}
}
},
"size": 20,
"from": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"fields": [
"*",
"@timestamp"
]
}
增强查询结果:
{
"took": 6,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 585,
"max_score": null,
"hits": [
{
"_index": "logstash-2015.08.31",
"_type": "logs",
"_id": "AU-ERbH6dl1LVbEg-Dna",
"_score": null,
"fields": {
"@timestamp": [
"2015-08-31T15:00:03.871Z"
]
},
"sort": [
1441033203871
]
}, (more hits...)
如上所示,我查询的日期记录未显示在结果列表中。命中计数减1,第一个结果是较早的时间而不是与我查询的时间相等的确切时间。
正在使用的索引模板:
PUT _template/my_template
{
"template" : "logstash-*",
"mappings" : {
"logs" : {
"_source" : {"enabled" : "true"},
"properties" : {
"@timestamp" : { "type" : "date", "format" : "date_time" },
# more fields here
}
}
}
}
我正在使用elasticsearch 1.7.1。
谢谢!
答案 0 :(得分:0)
您已在搜索请求中将"from"的值设置为1。这意味着忽略第一个结果并显示结果的其余部分。因此,您发现第一个结果丢失。如果您将"from"设置为0或将其完全删除,您将获得所需的结果。