我有一个EFK平台,我尝试使用the PHP API进行搜索。
这是一个索引项目:
{"message":"New request to POST /match.","hostname":"gandalf","severity":"crit","host":"app-base","application":"app-api","environment":"PRO","ip":"80.38.71.125","user_agent":"curl","user_id":"561226f2fef3874e058b4568","device_id":"match_abs","operation_id":"5665cbccbae4e","operation":"find_match","key":"match.post","code":"0","value_float1":"1","value_float2":"0","value_float3":"0","value_string1":"-","value_string2":"-","value_string3":"-","@timestamp":"2015-12-07T19:11:24+01:00"}
这是我的测试脚本:
<?php
require 'vendor/autoload.php';
use Monolog\Logger;
use Monolog\Handler\StreamHandler;
use Elasticsearch\ClientBuilder;
$logger = new Logger('name');
$hosts = [
'localhost:9200', // IP + Port
];
$logger = ClientBuilder::defaultLogger('/tmp/el.log');
$client = ClientBuilder::create() // Instantiate a new ClientBuilder
->setHosts($hosts) // Set the hosts
->setLogger($logger) // Set the logger with a default logger
->build();
$params = [
'index' => 'logstash*',
'size' => 500,
'type' => 'fluentd',
'body' => [
'sort' => [
'@timestamp' => ['order' => 'asc'],
],
'query' => [
'filtered' => [
'filter' => [
'bool' => [
'must' => [
'query' => [
'match' => ['environment' => 'PRO']
],
'range' => [
'@timestamp' => [
'gte' => 1449442800000,
'lte' => 1449529199999
]
]
],
'must_not' => []
]
],
'query' => [
'match' => ['user_id' => '561226f2fef3874e058b4568'],
'match' => ['key' => 'match.post']
]
]
]
]
];
$response = $client->search($params);
echo $response['hits']['total'] . "\n";
foreach($response['hits']['hits'] as $item) {
echo $item['_source']['key'] . "\n";
echo $item['_source']['environment'] . "\n";
echo "\n";
}
运行我的脚本后,我收到此错误:
Dec 8 10:05:50 11.0.0.174 ::php-cli::PRO::-: PHP Fatal error: Uncaught exception 'Elasticsearch\Common\Exceptions\BadRequest400Exception' with message '{"error":"SearchPhaseExecutionException[Failed to execute phase [query], all shards failed; shardFailures {[G9r0YNWZSEG7-tOgMuDNWQ][logstash-2015.12.07][0]: SearchParseException[[logstash-2015.12.07][0]: from[-1],size[-1],sort[<custom:\"@timestamp\": org.elasticsearch.index.fielddata.fieldcomparator.LongValuesComparatorSource@3ff7f796>]: Parse Failure [Failed to parse source [{\"sort\":{\"@timestamp\":{\"order\":\"asc\"}},\"query\":{\"filtered\":{\"filter\":{\"bool\":{\"must\":{\"query\":{\"match\":{\"environment\":\"PRO\"}},\"range\":{\"@timestamp\":{\"gte\":1449442800000,\"lte\":1449529199999}}},\"must_not\":[]}},\"query\":{\"match\":{\"key\":\"match.post\"}}}}}]]]; nested: QueryParsingException[[logstash-2015.12.07] No filter registered for [@timestamp]]; }{[G9r0YNWZSEG7-tOgMuDNWQ][logstash-2015.12.08][0]: SearchParseException[[logstash-2015.12.08][0]: from[-1],size[-1],sort[<custom:\"@timestamp\": org.elasticsearch.i in /root/test/vendor/elasticsearch/elasticsearch/src/Elasticsearch/Connections/Connection.php on line 644
主要的是这个:
No filter registered for [@timestamp]
但我在任何项目中都有此字段。
此外,这个由Kibana 4生成的查询工作正常。
{
"size": 500,
"sort": {
"@timestamp": "desc"
},
"query": {
"filtered": {
"query": {
"query_string": {
"analyze_wildcard": true,
"query": "(user_id: 561226f2fef3874e058b4568) and (key:match.post)"
}
},
"filter": {
"bool": {
"must": [
{
"query": {
"match": {
"environment": {
"query": "PRO",
"type": "phrase"
}
}
}
},
{
"range": {
"@timestamp": {
"gte": 1449442800000,
"lte": 1449529199999
}
}
}
],
"must_not": []
}
}
}
},
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"*": {}
}
},
"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"interval": "30m",
"pre_zone": "+01:00",
"pre_zone_adjust_large_interval": true,
"min_doc_count": 0,
"extended_bounds": {
"min": 1449442800000,
"max": 1449529199999
}
}
}
},
"fields": [
"*",
"_source"
],
"script_fields": {},
"fielddata_fields": [
"@timestamp"
]
}
什么是错的?
非常感谢所有人。
答案 0 :(得分:0)
我在查询中犯了一个错误。
&#39;必须&#39; clausule内容(bool过滤器内部)必须是数组。
所以我的php代码需要像这样。
<?php
require 'vendor/autoload.php';
use Monolog\Logger;
use Monolog\Handler\StreamHandler;
use Elasticsearch\ClientBuilder;
$logger = new Logger('name');
$hosts = [
'localhost:9200', // IP + Port
];
$logger = ClientBuilder::defaultLogger('/tmp/el.log');
$client = ClientBuilder::create() // Instantiate a new ClientBuilder
->setHosts($hosts) // Set the hosts
->setLogger($logger) // Set the logger with a default logger
->build();
$params = [
'index' => 'logstash*',
'size' => 500,
'type' => 'fluentd',
'body' => [
'sort' => [
'@timestamp' => ['order' => 'asc'],
],
'query' => [
'filtered' => [
'filter' => [
'bool' => [
'must' => [
['query' => [
'match' => ['environment' => 'PRO']
]],
['range' => [
'@timestamp' => [
'gte' => 1449442800000,
'lte' => 1449529199999
]
]],
'must_not' => []
]
],
'query' => [
'match' => ['user_id' => '561226f2fef3874e058b4568'],
'match' => ['key' => 'match.post']
]
]
]
]
];
$response = $client->search($params);
echo $response['hits']['total'] . "\n";
foreach($response['hits']['hits'] as $item) {
echo $item['_source']['key'] . "\n";
echo $item['_source']['environment'] . "\n";
echo "\n";
}