为什么某些字段无法通过布尔查询来拟合？

Question

我曾经以为自己知道如何使用布尔查询，但是以前做的事情似乎不再起作用：某些字段可以通过布尔查询进行过滤，而另一些字段则不能。 < / p>

（我正在测试V6，因此在此期间可能有所更改，但是the documentation似乎没有建议）

查询

GET /security-center*/_search
{
  "query": {
    "match_all": {}
  }
}

输出文件，例如

{
  "took" : 5,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 1487073,
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "security-center-2019.01.24",
        "_type" : "doc",
        "_id" : "igzyfWgBcCggV6jwR96k",
        "_score" : 1.0,
        "_source" : {
          "vulns_port" : "49666",
          "hosts_vulns_scanners_0_loadavg" : "0.0",
          "vulns_patchpubdate" : "-1",
          "vulns_description" : "This script uses WMI to list the processes running on the remote host\nand listening on TCP / UDP ports.",
          "hosts_vulns_completedchecks" : "3046410",
          "vulns_family_id" : "20",
          "hosts_vulns_repository_description" : "CREATED",
          "hosts_vulns_completedips" : "30",
          "hosts_vulns_ownergroup_id" : "0",
          "hosts_vulns_ownergroup_name" : "Full Access",
          "host_dmz" : "False",
(...)

我将查询上面的两个字段：vulns_port和hosts_vulns_ownergroup_name，完全从上面的文档中获取布尔条件。

情况1：vulns_port（确定）

我想获取vulns_port为49666的文档：

GET /security-center*/_search
{
  "query": {
    "bool": {
      "must": {
        "term": { "vulns_port" : "49666" }
      }
    }
  }
}

结果：

{
  "took" : 83,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 4142,
    "max_score" : 5.9115334,
    "hits" : [
      {
        "_index" : "security-center-2019.01.24",
        "_type" : "doc",
        "_id" : "PKT0fWgBHaYvxmURB5eY",
        "_score" : 5.9115334,
        "_source" : {
          "vulns_port" : "49666",
          "hosts_vulns_scanners_0_loadavg" : "0.03",
(...)

情况2：hosts_vulns_ownergroup_name（KO）

我想获取hosts_vulns_ownergroup_name为Full Access的文档：

GET /security-center*/_search
{
  "query": {
    "bool": {
      "must": {
        "term": { "hosts_vulns_ownergroup_name" : "Full Access" }
      }
    }
  }
}

结果：

{
  "took" : 18,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 0,
    "max_score" : null,
    "hits" : [ ]
  }
}

问题出在哪里？

Answer 1

由于您使用的是ES6，请尝试使用.keyword子字段：

GET /security-center*/_search
{
  "query": {
    "bool": {
      "must": {
        "term": { "hosts_vulns_ownergroup_name.keyword" : "Full Access" }
      }
    }
  }
}