我的索引中包含以下数据:
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 4,
"max_score": 1,
"hits": [
{
"_index": "para-slapdmine-logs-2016.11.11",
"_score": 1,
"_source": {
"message": "<167>Nov 11 16:22:05 red5admin slapd[45740]:
conn=1046 op=0 RESULT tag=97 err=49 text=",
"@timestamp": "2016-11-11T10:52:42.921Z",
"timestamp": "Nov 11 16:22:05",
"connection": 1046,
"operation_number": 0,
"tag": 97,
"error_code": 49
}
},
{
"_index": "para-slapdmine-logs-2016.11.11",
"_score": 1,
"_source": {
"message": "<167>Nov 11 16:22:05 red5admin slapd[45740]:
conn=1046 fd=13 ACCEPT from IP=10.1.2.2:37713 (IP=0.0.0.0:389)",
"@version": "1",
"@timestamp": "2016-11-11T10:52:42.920Z",
"type": "slapdmine",
"timestamp": "Nov 11 16:22:05",
"connection": 1046,
"fd_number": "13",
"src_ip": "10.1.2.2"
}
},
{
"_index": "para-slapdmine-logs-2016.11.11",
"_score": 1,
"_source": {
"message": "<167>Nov 11 16:22:05 red5admin slapd[45740]:
conn=1046 op=0 BIND dn=\"uid=dharmikp,ou=python,dc=red5admin\"
method=128",
"@version": "1",
"@timestamp": "2016-11-11T10:52:42.920Z",
"timestamp": "Nov 11 16:22:05",
"connection": 1046,
"operation_number": 0,
"operation_name": "BIND",
"bind_dn": "uid=dharmikp,ou=python,dc=red5admin",
"bind_method": "128"
}
},
{
"_index": "para-slapdmine-logs-2016.11.11",
"_score": 1,
"_source": {
"message": "<167>Nov 11 16:22:05 red5admin slapd[45740]:
conn=1046 op=1 UNBIND",
"@timestamp": "2016-11-11T10:52:42.953Z",
"type": "slapdmine",
"timestamp": "Nov 11 16:22:05",
"connection": 1046,
"operation_number": 1,
"operation_name": "UNBIND"
}
}
]
}
}
我想找到
src_ip为49的error_code列表。这两个属性在单个文档中不存在,但连接ID在该文档中相同。如果必须编写SQL查询,我可能会按照以下方式进行
select src_ip from ldap where connection in (select connection
from ldap where error_code = 49)
知道我如何在ElasticSearch中实现这一目标吗?
使用ElasticSearch(2.3.3)。
索引映射
"para-slapdmine-logs-2016.11.11" : {
"mappings" : {
"slapdmine" : {
"properties" : {
"@timestamp" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis"
},
"@version" : {
"type" : "string"
},
"bind_dn" : {
"type" : "string"
},
"bind_method" : {
"type" : "string"
},
"connection" : {
"type" : "long"
},
"dst_ip" : {
"type" : "string"
},
"dst_port" : {
"type" : "string"
},
"error_code" : {
"type" : "long"
},
"fd_number" : {
"type" : "string"
},
"host" : {
"type" : "string"
},
"logsource" : {
"type" : "string"
},
"message" : {
"type" : "string"
},
"operation_name" : {
"type" : "string"
},
"operation_number" : {
"type" : "long"
},
"pid" : {
"type" : "string"
},
"program" : {
"type" : "string"
},
"src_ip" : {
"type" : "string"
},
"src_port" : {
"type" : "string"
},
"tag" : {
"type" : "long"
},
"timestamp" : {
"type" : "string"
},
"type" : {
"type" : "string"
}
}
}
}
}
最佳答案
恐怕目前无法执行SQL子查询之类的操作,但是您仍然可以使用Application-Side Join查询来执行Terms,如下所示:
GET /my_index/ldap/_search
{
"query": {
"bool": {
"filter": [{ "term": { "error_code": 49 }}]
}
}
}
GET /my_index/ldap/_search
{
"query": {
"bool": {
"filter": [{ "terms": { "connection": [RESULTS_FROM_FIRST_QUERY] }}]
}
}
}
希望这可以帮助。
关于elasticsearch - ElasticSearch: “IN”运算符中的嵌套查询,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/40547248/