我希望从弹性搜索中获取过去30天的文档,但它返回空白。
这是我的映射:
PUT /books
{
"mappings": {
"impressions": {
"properties": {
"booksCreated" : {
"type": "date",
"format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis",
"index": true
}
}
}
}
}
这是我的疑问:
POST /books/_search?size=0
{
"aggs": {
"range": {
"date_range": {
"field": "booksCreated",
"format": "yyyy-MM-dd",
"ranges": [
{ "to": "now" },
{ "from": "now-1M/M" }
]
}
}
}
}
我已尝试过所有可能的方法,但它会返回空白。
但我可以查询 @timestamp 字段
问题是logstash将字段类型从date更改为string。我的json是:
{
"index":"books",
"type":"book",
"body":{
"impressions":{
"_source":{
"enabled":true
},
"properties":{
"BookCreated":"2017-09-18 12:18:39"
}
}
}
}
和我的logstash配置:
input {
file {
path => "E:\data2\log\logstash.log"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => json
}
}
filter {
mutate {
strip => ["message"]
}
}
output {
elasticsearch {
hosts => "localhost"
index => "books"
document_type => "book"
}
}
我会将json记录到日志文件中,并将logstash发送到elasticsearch
在添加json后,映射变为:
{
"Books": {
"mappings": {
"Books": {
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BookCreated": {
"type": "date",
"format": "yyyy-MM-dd HH:mm:ss"
},
"body": {
"properties": {
"Books": {
"properties": {
"_source": {
"properties": {
"enabled": {
"type": "boolean"
}
}
},
"properties": {
"properties": {
"BookCreated": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
}
}
},
"host": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"index": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"type": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
}
}
它有两个BookCreated一个isdate,另一个是文本
答案 0 :(得分:0)
您需要将[[[NSApplication sharedApplication] dockTile] setBadgeLabel:[NSString stringWithFormat: @"%ld", 10]];
和from放在相同的范围内,如下所示:
to答案 1 :(得分:0)
我很确定您的映射存在问题。首先,要确保bookCreated字段在命名和大小写方面都保持一致!
第二,我相信您拥有两个bookCreated的原因是因为您的映射包含bookCreated属性。但是,您的JSON包含一个嵌套结构:body => properties => bookCreated。要么以logstash形式将书展平/转换为所需的索引结构,要么根据json对索引进行建模,看起来像这样?
"mappings": {
"properties": {
"body": {
"type": "object",
"properties": {
"properties": {
"type": "object",
"properties": {
"bookCreated": {
"type": "date",
"format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis",
"index": true
}
}
}
}
}
}
}
无论哪种方式,我建议您设置"dynamic": "strict",这样您才能真正看到映射中的错误,而不仅仅是正在创建的新字段