我的索引中有以下数据:
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 4,
"max_score": 1,
"hits": [
{
"_index": "para-slapdmine-logs-2016.11.11",
"_score": 1,
"_source": {
"message": "<167>Nov 11 16:22:05 red5admin slapd[45740]:
conn=1046 op=0 RESULT tag=97 err=49 text=",
"@timestamp": "2016-11-11T10:52:42.921Z",
"timestamp": "Nov 11 16:22:05",
"connection": 1046,
"operation_number": 0,
"tag": 97,
"error_code": 49
}
},
{
"_index": "para-slapdmine-logs-2016.11.11",
"_score": 1,
"_source": {
"message": "<167>Nov 11 16:22:05 red5admin slapd[45740]:
conn=1046 fd=13 ACCEPT from IP=10.1.2.2:37713 (IP=0.0.0.0:389)",
"@version": "1",
"@timestamp": "2016-11-11T10:52:42.920Z",
"type": "slapdmine",
"timestamp": "Nov 11 16:22:05",
"connection": 1046,
"fd_number": "13",
"src_ip": "10.1.2.2"
}
},
{
"_index": "para-slapdmine-logs-2016.11.11",
"_score": 1,
"_source": {
"message": "<167>Nov 11 16:22:05 red5admin slapd[45740]:
conn=1046 op=0 BIND dn=\"uid=dharmikp,ou=python,dc=red5admin\"
method=128",
"@version": "1",
"@timestamp": "2016-11-11T10:52:42.920Z",
"timestamp": "Nov 11 16:22:05",
"connection": 1046,
"operation_number": 0,
"operation_name": "BIND",
"bind_dn": "uid=dharmikp,ou=python,dc=red5admin",
"bind_method": "128"
}
},
{
"_index": "para-slapdmine-logs-2016.11.11",
"_score": 1,
"_source": {
"message": "<167>Nov 11 16:22:05 red5admin slapd[45740]:
conn=1046 op=1 UNBIND",
"@timestamp": "2016-11-11T10:52:42.953Z",
"type": "slapdmine",
"timestamp": "Nov 11 16:22:05",
"connection": 1046,
"operation_number": 1,
"operation_name": "UNBIND"
}
}
]
}
}
我想找到src_ip error_code所在的select src_ip from ldap where connection in (select connection
from ldap where error_code = 49)
列表。这两个属性不存在于单个文档中,但连接ID在该文档中是相同的。
如果我必须编写SQL查询,我可能会按照以下方式执行
"para-slapdmine-logs-2016.11.11" : {
"mappings" : {
"slapdmine" : {
"properties" : {
"@timestamp" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis"
},
"@version" : {
"type" : "string"
},
"bind_dn" : {
"type" : "string"
},
"bind_method" : {
"type" : "string"
},
"connection" : {
"type" : "long"
},
"dst_ip" : {
"type" : "string"
},
"dst_port" : {
"type" : "string"
},
"error_code" : {
"type" : "long"
},
"fd_number" : {
"type" : "string"
},
"host" : {
"type" : "string"
},
"logsource" : {
"type" : "string"
},
"message" : {
"type" : "string"
},
"operation_name" : {
"type" : "string"
},
"operation_number" : {
"type" : "long"
},
"pid" : {
"type" : "string"
},
"program" : {
"type" : "string"
},
"src_ip" : {
"type" : "string"
},
"src_port" : {
"type" : "string"
},
"tag" : {
"type" : "long"
},
"timestamp" : {
"type" : "string"
},
"type" : {
"type" : "string"
}
}
}
}
}
我知道如何在ElasticSearch中实现这一目标吗?
使用ElasticSearch(2.3.3)。
我的索引的映射
LRANGE答案 0 :(得分:0)
我担心此刻我们无法执行SQL子查询,但我们仍然可以使用Application-Side Join Terms查询这样的查询:
GET /my_index/ldap/_search
{
"query": {
"bool": {
"filter": [{ "term": { "error_code": 49 }}]
}
}
}
GET /my_index/ldap/_search
{
"query": {
"bool": {
"filter": [{ "terms": { "connection": [RESULTS_FROM_FIRST_QUERY] }}]
}
}
}
希望这有帮助。