在ES中使用化合物“和”

问题描述 投票:0回答:1

试图在ES中模拟以下表达式

expr1 && expr2 && expr3

我想出了这个

curl -X GET "http://localhost:9200/policy_router-2019.12.30/_search?pretty" -H 'Content-Type: application/json' -d'
{
  "query": {
    "bool": {
        "must" : [
        {
                "range" : { "@timestamp": { "gte": "now-15s", "lte": "now"} }
          },
        {
           "query_string": { "query": "rewriteGateway", "default_field" : "message" }
         },
         {
            "query_string": {"query": "policy-router-summer-snow-5555" ,"default_field" : "host" }
         }
       ]
     }
   }
}'

但是,似乎我无法正确地将我想要的与上述查询等同起来。也就是说,每次我运行上述查询时,我都会看到具有不同主机价值的文档,即policy-router-summer-snow-5555 here

我还尝试将must嵌套在外部必须中,但导致语法错误。

我无法理解为什么主机的最后一个query_string表达式不匹配。

以下是我的ES版本

{
  "name" : "an2FbQZ",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "gIk5QPI3Rb6NPckeCRaUqQ",
  "version" : {
    "number" : "5.5.2",
    "build_hash" : "b2f0c09",
    "build_date" : "2017-08-14T12:33:14.154Z",
    "build_snapshot" : false,
    "lucene_version" : "6.6.0"
  },
  "tagline" : "You Know, for Search"
}

以下是我的文档的样子(这是上述查询返回的文档之一,可以清楚地看到主机不匹配)

{
        "_index" : "policy_router-2019.12.31",
        "_type" : "policy_router",
        "_id" : "AW9aG7_1tIiuv3oe07ZO",
        "_score" : 4.6003995,
        "_source" : {
          "severity" : "INFO",
          "input" : "udp",
          "@timestamp" : "2019-12-31T03:59:25.107Z",
          "@version" : "1",
          "host" : "policy-router-proud-cherry-2098",
          "message" : "2019-12-31 03:59:25.107111 I [PolicyRouter::Push] PolicyRouter -- PR -> LA ... rewrite gateway ... ",
          "type" : "policy_router"
        }
      }```

Any guidance here from ES expert.
elasticsearch
1个回答
0
投票

尝试使用该查询以及您字段的名称和值。

{
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "FIELD": {
              "gte": 10,
              "lte": 20
            }
          }
        },
        {
          "match_phrase": {
            "FIELD": "PHRASE"
          }
        },
        {
          "match_phrase": {
            "FIELD": "PHRASE"
          }
        }
      ]
    }
  }
}
© www.soinside.com 2019 - 2024. All rights reserved.