PUT _xpack/watcher/watch/log_error_watch
{
"trigger": {
"schedule": {
"interval": "10s"
}
},
"input": {
"search": {
"request": {
"indices": [
"filebeat-2017.01.02"
],
"body": {
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"query": {
"range": {
"offset": {
"gte": 1000,
"lte": 2000
}
},
"match": {
"source": "/var/log/apache2/access.log"
}
},
"size": 5
}
}
}
}
}
[o.e.m.j.JvmGcMonitorService] [hj-test156] [gc] [11042]开销,花费[701ms]收集在最后[1s] [2017-01-02T15:32:04,311] [错误] [oexwisExecutableSimpleInput] [hj-test156]无法执行[log_error_watch]的[search]输入,原因[[range]格式错误的查询,预期[END_OBJECT]但找到[FIELD_NAME]]
答案 0 :(得分:0)
您的查询格式错误,您需要像这样编写
...
"query": {
"bool": {
"must": [
{
"range": {
"offset": {
"gte": 1000,
"lte": 2000
}
}
},
{
"match": {
"source": "/var/log/apache2/access.log"
}
}
]
}
}
},
...
<强>更新
对于带有日期字段的range,您可以这样做:
{
"range": {
"@timestamp": {
"gte": "2017-01-02T05:23:34.731Z",
"lte": "2017-01-03T05:23:34.731Z"
}
}
},