ElasticSearch找到System.NullReferenceException但不是NullReferenceException - 为什么?

时间:2016-05-09 03:36:31

标签: elasticsearch

我有一个基本的ELK堆栈,其中多台机器将日志推送到ElasticSearch(ES)服务器,我使用Kibana检查它们。

我的问题是我可以看到很多System.NullReferenceException个匹配,但没有NullReferenceException,这让我很困惑。

以下是我要尝试运行的查询:

GET _search
{
  "query": {
    "match": {
      "message": "NullReferenceException"
    }
  }
}

结果是:

{
  "took": 47,
  "timed_out": false,
  "_shards": {
    "total": 1681,
    "successful": 1681,
    "failed": 0
  },
  "hits": {
    "total": 0,
    "max_score": null,
    "hits": []
  }
}

但是,如果我使用以下查询:

GET _search
{
  "query": {
    "match": {
      "message": "System.NullReferenceException"
    }
  }
}

我明白了:

{
  "took": 31,
  "timed_out": false,
  "_shards": {
    "total": 1681,
    "successful": 1681,
    "failed": 0
  },
  "hits": {
    "total": 12796,
    "max_score": 1.7968642,
    "hits": [
      {
        "_index": "logs-good-qa_849-2016.05.05",
        "_type": "MobileWebService",
        "_id": "28327d702db62623059027479162a3d73ef909f6",
        "_score": 1.7968642,
        "_source": {
          "@timestamp": "2016-05-05T19:04:20.741Z",
          "message": "Object reference not set to an instance of an object. \r\nSystem.NullReferenceException: Object reference not set to an instance of 
...

似乎正在分析消息列。如果我请求映射:

GET logs-good-qa_849-2016.05.05/_mapping/MobileWebService

我回来了:

# GET logs-good-qa_849-2016.05.05/_mapping/MobileWebService
{
  "logs-good-qa_849-2016.05.05": {
    "mappings": {
      "MobileWebService": {
        "properties": {
          "@timestamp": {
            "type": "date",
            "format": "strict_date_optional_time||epoch_millis"
          },
          "@version": {
            "type": "string"
          },
          "host": {
            "type": "string"
          },
          "level": {
            "type": "string"
          },
          "logger": {
            "type": "string"
          },
          "message": {
            "type": "string"
          },
          "path": {
            "type": "string"
          },
          "qa_build": {
            "type": "string"
          },
          "tags": {
            "type": "string"
          },
          "ts": {
            "type": "string"
          }
        }
      }
    }
  }
}

我从中得出结论,消息字段应该分别被分隔符和索引一词破坏。据我所知.是一个单词分隔符,所以我不明白发生了什么。

有什么想法吗?

1 个答案:

答案 0 :(得分:1)

让我们尝试分析message字段的内容:

curl -XGET 'localhost:9200/accounts_2016_dev/_analyze?pretty' -d 'Object reference not set to an instance of an object. \r\nSystem.NullReferenceException: Object reference not set to an instance of'

我们得到的一个代币如下:

 {
    "token" : "nsystem.nullreferenceexception",
    "start_offset" : 57,
    "end_offset" : 87,
    "type" : "<ALPHANUM>",
    "position" : 12
  }

正如您所看到的那样,点不会用作单词分隔符,因为它后面没有空格。更一般地,分析test.dot将生成单个令牌test.dot,而分析test. dot(点后面有1+空格)将生成两个令牌test和{{1} }。

因此,您无法仅匹配dot

相关问题
最新问题