我正在努力为 Elastic Search 制定正确的 API 搜索调用,它将在过去 1 小时内请求我想要的 ipv4address。
第一次尝试:
curl -X GET "localhost:9200/ipaddresses/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"match": {
"ipv4address": {
"query": "50.167.71.25"
}
}
},
"range": {
"@timestamp": {
"gte": "now-1h",
"lt": "now"
}
}
}
'
{"error":{"root_cause":[{"type":"parsing_exception","reason":"Unknown key for a START_OBJECT in [range].","line":10,"col":12}],"type":"parsing_exception","reason":"Unknown key for a START_OBJECT in [range].","line":10,"col":12},"status":400}
第二次尝试:
curl -X GET "localhost:9200/ipaddresses/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"match": {
"ipv4address": {
"query": "50.167.71.25"
}
}
},
"fields": {
"range": {
"@timestamp": {
"gte": "now-1h",
"lt": "now"
}
}
}
}
'
{"error":{"root_cause":[{"type":"parsing_exception","reason":"Unknown key for a START_OBJECT in [fields].","line":10,"col":14}],"type":"parsing_exception","reason":"Unknown key for a START_OBJECT in [fields].","line":10,"col":14},"status":400}
我在 Kibana 中有什么:
{
"_index": "ipaddresses",
"_type": "default",
"_id": "TJdvR2UB9sEBYW4CrElF",
"_version": 1,
"_score": null,
"_source": {
"tags": [
"blocked",
"ipv4_address",
],
"@version": "1",
"@timestamp": "2018-08-17T10:30:25.118Z",
"ipv4_metadata": {
"host": "elk",
"name": "blocks",
"response_message": "OK",
"code": 200,
"times_retried": 0,
"runtime_seconds": 0.066403,
"response_headers": {
"connection": "keep-alive",
"x-frame-options": "sameorigin",
"last-modified": "Fri, 17 Aug 2018 10:28:06 GMT",
"keep-alive": "timeout=20",
"date": "Fri, 17 Aug 2018 10:28:20 GMT",
"content-type": "text/plain; charset=UTF-8",
"server": "nginx/1.12.2",
"transfer-encoding": "chunked",
"etag": "W/\"5c7c5-5739f03f2997f\"",
"cache-control": "public"
}
},
"ipv4address": "50.167.71.25",
"message": "50.167.71.25"
},
"fields": {
"@timestamp": [
"2018-08-17T10:30:25.118Z"
]
},
"sort": [
1534501825118
]
}
查询有什么问题? 如果我还想查找等于被阻止的“标记”字段怎么办?
请帮我把这些点连接起来。
最佳答案
此查询将返回最近 1 小时的文档:
{
"query": {
"range": {
"@timestamp": {
"gte": "now-1h",
"lt": "now"
}
}
}
}
此查询将返回标记被阻止且从过去 1 小时开始的文档:
{
"query": {
"bool": {
"must": [
{
"match": {
"tags": "blocked"
}
},
{
"range": {
"@timestamp": {
"gte": "now-1h",
"lte": "now"
}
}
}
]
}
}
}
您可以使用 _source 限制要返回的数据.
这个查询只会返回ipv4address:
{
"_source": "ipv4address",
"query": {
"bool": {
"must": [
{
"match": {
"tags": "blocked"
}
},
{
"range": {
"@timestamp": {
"gte": "now-1h",
"lte": "now"
}
}
}
]
}
}
}
如果您想应用更多查询,请查看 this.
关于Elasticsearch 时间范围查询和数据,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/51893982/