试图在ES中模拟以下表达式
expr1 && expr2 && expr3
我想到了这个
curl -X GET "http://localhost:9200/policy_router-2019.12.30/_search?pretty" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"must" : [
{
"range" : { "@timestamp": { "gte": "now-15s", "lte": "now"} }
},
{
"query_string": { "query": "rewriteGateway", "default_field" : "message" }
},
{
"query_string": {"query": "policy-router-summer-snow-5555" ,"default_field" : "host" }
}
]
}
}
}'
但是,似乎我无法将我想要的东西与上述查询正确地等同起来。也就是说,每次我运行上述查询时,我都会看到文档的宿主值与我希望的值不同,即policy-router-summer-snow-5555
在这里
我还尝试将must
嵌套在外部必须中,但这导致语法错误。
我无法理解为什么主机的最后一个query_string
表达式不匹配。
以下是我的ES版本
{
"name" : "an2FbQZ",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "gIk5QPI3Rb6NPckeCRaUqQ",
"version" : {
"number" : "5.5.2",
"build_hash" : "b2f0c09",
"build_date" : "2017-08-14T12:33:14.154Z",
"build_snapshot" : false,
"lucene_version" : "6.6.0"
},
"tagline" : "You Know, for Search"
}
以下是我的文档的外观(这是上述查询返回的文档之一,可以清楚地看到主机不匹配)
{
"_index" : "policy_router-2019.12.31",
"_type" : "policy_router",
"_id" : "AW9aG7_1tIiuv3oe07ZO",
"_score" : 4.6003995,
"_source" : {
"severity" : "INFO",
"input" : "udp",
"@timestamp" : "2019-12-31T03:59:25.107Z",
"@version" : "1",
"host" : "policy-router-proud-cherry-2098",
"message" : "2019-12-31 03:59:25.107111 I [PolicyRouter::Push] PolicyRouter -- PR -> LA ... rewrite gateway ... ",
"type" : "policy_router"
}
}```
Any guidance here from ES expert.
答案 0 :(得分:0)
尝试使用该查询以及您字段的名称和值。
{
"query": {
"bool": {
"must": [
{
"range": {
"FIELD": {
"gte": 10,
"lte": 20
}
}
},
{
"match_phrase": {
"FIELD": "PHRASE"
}
},
{
"match_phrase": {
"FIELD": "PHRASE"
}
}
]
}
}
}