我尝试配置elasticsearch请求。我使用DSL并尝试在"swagger"字段中找到包含单词"message"的数据。
以下是我想要展示的正确答案之一:
{
"_index": "apiconnect508",
"_type": "audit",
"_id": "AWF1us1T4ztincEzswAr",
"_score": 1,
"_source": {
"consumerOrgId": null,
"headers": {
"http_accept": "application/json",
"content_type": "application/json",
"request_path": "/apim-5a7c34e0e4b02e66c60edbb2-2018.02/auditevent",
"http_version": "HTTP/1.1",
"http_connection": "keep-alive",
"request_method": "POST",
"http_host": "localhost:9700",
"request_uri": "/apim-5a7c34e0e4b02e66c60edbb2-2018.02/auditevent",
"content_length": "533",
"http_user_agent": "Wink Client v1.1.1"
},
"nlsMessage": {
"resource": "messages",
"replacements": [
"test",
"1.0.0",
"ext_mafashagov@rencredit.ru"
],
"key": "swagger.import.notification"
},
"notificationType": "EVENT",
"eventType": "AUDIT",
"source": null,
"envId": null,
"message": "API test version 1.0.0 was created from a Swagger document by ext_mafashagov@rencredit.ru.",
"userId": "ext_mafashagov@rencredit.ru",
"orgId": "5a7c34e0e4b02e66c60edbb2",
"assetType": "api",
"tags": [
"_geoip_lookup_failure"
],
"gateway_geoip": {},
"datetime": "2018-02-08T14:04:32.731Z",
"@timestamp": "2018-02-08T14:04:32.747Z",
"assetId": "5a7c58f0e4b02e66c60edc53",
"@version": "1",
"host": "127.0.0.1",
"id": "5a7c58f0e4b02e66c60edc55",
"client_geoip": {}
}
}
我试图通过以下方式找到JSON:
POST myAddress / _search
下一个查询无需" regexp"领域。我应该如何配置查询的regexp部分?
{
"query": {
"filtered": {
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp" : {"gte" : "now-100d"}
}
},
{
"term": {
"_type": "audit"
}
},
{
"regexp" : {
"message": "*wagger*"
}
}
]
}
}
}
},
"sort": {
"TraceDateTime": {
"order": "desc",
"ignore_unmapped": "true"
}
}
}
答案 0 :(得分:0)
如果分析了消息字段,则此简单匹配查询应该起作用:
"match":{
"message":"*swagger*"
}
但是,如果没有分析,这两个查询也应该适合您: 这两个查询区分大小写,因此如果您希望不对其进行分析,则应考虑降低字段。
"wildcard":{
"message":"*swagger*"
}
或
"regexp":{
"message":"swagger"
}
请注意,通配符和正则表达式查询会降低性能。