Related Instructions
Fill in the compound query
0.0 ES address:http://user:password@:8999/cluster_id/
0.1 Search log index: prod-logs/_search
0.2 Request method: POST
1. Query the data containing log_geo "wildcard": { "message": "log_geo” }
Here, log_geo has * in front of it indicating that the search for data ending in log_geo
There is * after log_geo to indicate that data starting with log_geo is searched.
There are * before and after log_geo, which is a general match to the records containing log_geo.
“wildcard”: { “message”: “log_geo” }
2. Query the data for a certain period of time
“range”: { “@timestamp”: { “gt”: “2018-02-08T07:00:00.056000000+00:00”,”lt”: “2018-02-08T08:00:00.056000000+00:00” } }
#Note Time zone minus 8 hours
3. Conditional query and conditional exclusion data
3.1 match contains the data of the provider
{ “match”: { “message”: “type:provider” } }
3.2 must_not is similar to must for exclusion
Exclude "must_not": { "match": { "message": "dateTime:2018-02-08 15:59" } },
4. from Indicates the ID of the starting record
5. size indicates the number of records displayed
Query statements 1, 2, 3 can be combined or used separately
If the query statement does not get the desired result, it should be caused by the word participle of ES
{
"query": {
"bool": {
"must": [
{ "range": { "@timestamp": { "gt": "2018-02-08T07:00:00.056000000+00:00","lt": "2018-02-08T08:00:00.056000000+00:00" } } }
,
{ "wildcard": { "message": "*cp_geo*" } }
,
{ "match": { "message": "*type:platform*" } }
],
"must_not": { "match": { "message": "*deviceTypeCode:DTout00000000*" } },
"should": []
}
},
"from": 0,
"size": 50,
"sort": { "@timestamp": "desc" },
"aggs": {}
}
Reference article
/dm_vincent/article/details/41720193
/pilihaotian/p/