我在Elastic中有如下数据
{
"_index": "prod",
"_type": "log",
"_id": "aa",
"_source": {
"input_type": "log",
"sourcetype": "sourcetypeapp1",
"message": "APP COMPANY|80d596f6-2082-4a1d-bcfc-740478f626ec|001 ErrorMessage: Some error"
"type": "log",
"tags": [
"beats_input_codec_plain_applied"
]
}
}
我想在邮件中搜索包含以下数据的所有邮件: -
(Message : "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eA|001" AND Message:"ErrorMessage")
Or
(Message : "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eB|002" AND Message:"ErrorMessage")
Or
(Message : "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eC|003" AND Message:"ErrorMessage")
我对弹性搜索查询不太了解,
我试过下面简单的查询它不起作用(只有一个条件):
{
"query": {
"bool": {
"must": {
"bool": {
"should": [
{
"match": {
"Message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eA|001"
}
}
]
}
}
}
}
}
答案 0 :(得分:0)
你可以试试像
这样的东西{
"query": {
"match": {
"Message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eA|001"
}
}
}
答案 1 :(得分:0)
( (condition11 AND condition12) OR (condition21 AND condition22) )
如果这是你想要达到的目的,试试这个
{
"query": {
"bool": {
"should": [
{
"bool": {
"must": [
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eA|001" } },
{ "match": { "message": "ErrorMessage"}}
]
}
},
{
"bool": {
"must": [
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eB|002" } },
{ "match": { "message": "ErrorMessage"}}
]
}
},
{
"bool": {
"must": [
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eC|003" } },
{ "match": { "message": "ErrorMessage"}}
]
}
}
]
}
}
}
但在您的示例中,condition12和condition22是相同的。在这种情况下,您可以将其重写为
{
"query": {
"bool": {
"must": [
{ "match": { "message": "ErrorMessage"}},
{
"bool": {
"should": [
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eA|001" } },
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eB|002" } },
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eC|003" } }
]
}
}
]
}
}
}