如何在搜索值中写冒号查询?
kind: StatefulSet
...
spec:
...
template:
...
spec:
...
volumes:
- name: "ignite-storage"
flexVolume:
driver: "co.mira/lvm"
fsType: "ext4"
options:
awsRegion: "us-east-1"
vols: "2"
tag: "ignite"
ebsType: "{{ ignite_storage_ebs_volume_type }}"
sizeGb: "{{ ignite_storage_ebs_volume_size_gb }}"
iopsPerGb: "2"
containers:
- name: ignite
...
volumeMounts:
- name: "ignite-storage"
mountPath: "..."
如您所见,我正在尝试使用{
"size": 0,
"_source": [
"attrs.from"
],
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": 1554792885000,
"lte": 1554814485000,
"format": "epoch_millis"
}
}
},
{
"query_string": {
"query": "attrs.r-uri:sip\\:example.org",
"analyze_wildcard": true,
"fuzzy_max_expansions": 0,
"fuzziness": 0
}
}
]
}
},
"aggs": {
"agg": {
"date_histogram": {
"field": "@timestamp",
"interval": "5m",
"time_zone": "Europe/Berlin",
"min_doc_count": 1
},
"aggs": {
"agg": {
"terms": {
"field": "attrs.type",
"size": 30,
"order": {
"_count": "desc"
}
}
}
}
}
}
}
或uri:sip\\:example.org,但到目前为止没有成功。但是,当我从kibana进行相同的查询(我可以看到图表请求)时,它可以正常工作,因此它不是标记化问题。
---------更新---------------
这里是r-uri字段的映射
uri:sip\:example.org分析器:
"r-uri": {
"index": true,
"type": "text",
"copy_to": "attrs.all_copy",
"analyzer": "autocomplete",
"search_analyzer": "whitespace",
"fields": {
"keyword":{
"type": "keyword",
"index": true
}
}