在弹性搜索中过滤特定字段
Filter specific fields in elastic search
我们正在使用 ElasticSearch 和 Kibana 来查询日志。
ElasticSearch 中提取的数据格式如下:
{
"took" : 84,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 5719,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "evtdata-2020-11",
"_type" : "_doc",
"_id" : "49612101596783840103434103604261455601292612965391925250.0",
"_score" : 1.0,
"_source" : {
"id" : "unknown:B8-27-EB-47-B4-2A",
"timestamp" : 1604453736242,
"data" : [
{
"e" : "A",
"v" : 15.0
},
{
"e" : "B",
"v" : 30.22
},
{
"s" : "A",
"v" : 1.4
},
{
"s" : "B",
"v" : 310
}, {
"s" : "C",
"v" : 2
}
],
"drift" : -3.0
}
}
}
}
我们只想获取特定时间范围内e = A的数据索引。
"data" : [
{
"e" : "A",
"v" : 15.0
}
]
目前我建立的查询是:
GET /evtdata-2020-11/_search
{
"_source": [
"data.e",
"data.v"
],
"query": {
"bool": {
"must": [
"inner",
{
"match": {
"data.e": "A"
}
},
{
"range": {
"timestamp": {
"gte": 1604453773434,
"lt": 1604453778451
}
}
}
]
}
}
}
但是通过上面的查询我得到了所有 e 和 v
有人可以告诉我如何更改查询以仅获取类型为 A 的 e 和 v作为回应?
You cannot query each object independently of the other objects in the
array. If you need to be able to do this then you should use the
nested datatype instead of the object data type.
然后您可以使用 inner_hits,其中根据嵌套内部对象中的匹配返回文档
索引映射:
{
"mappings": {
"properties": {
"data": {
"type": "nested"
}
}
}
}
搜索查询:
{
"query": {
"nested": {
"path": "data",
"query": {
"bool": {
"must": [
{
"match": {
"data.e": "A"
}
}
]
}
},
"inner_hits":{}
}
}
}
搜索结果:
"inner_hits": {
"data": {
"hits": {
"total": {
"value": 1,
"relation": "eq"
},
"max_score": 0.6931471,
"hits": [
{
"_index": "64705886",
"_type": "_doc",
"_id": "1",
"_nested": {
"field": "data",
"offset": 0
},
"_score": 0.6931471,
"_source": {
"e": "A",
"v": 15.0
}
}
]
}
}
}
我们正在使用 ElasticSearch 和 Kibana 来查询日志。
ElasticSearch 中提取的数据格式如下:
{
"took" : 84,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 5719,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "evtdata-2020-11",
"_type" : "_doc",
"_id" : "49612101596783840103434103604261455601292612965391925250.0",
"_score" : 1.0,
"_source" : {
"id" : "unknown:B8-27-EB-47-B4-2A",
"timestamp" : 1604453736242,
"data" : [
{
"e" : "A",
"v" : 15.0
},
{
"e" : "B",
"v" : 30.22
},
{
"s" : "A",
"v" : 1.4
},
{
"s" : "B",
"v" : 310
}, {
"s" : "C",
"v" : 2
}
],
"drift" : -3.0
}
}
}
}
我们只想获取特定时间范围内e = A的数据索引。
"data" : [
{
"e" : "A",
"v" : 15.0
}
]
目前我建立的查询是:
GET /evtdata-2020-11/_search
{
"_source": [
"data.e",
"data.v"
],
"query": {
"bool": {
"must": [
"inner",
{
"match": {
"data.e": "A"
}
},
{
"range": {
"timestamp": {
"gte": 1604453773434,
"lt": 1604453778451
}
}
}
]
}
}
}
但是通过上面的查询我得到了所有 e 和 v 有人可以告诉我如何更改查询以仅获取类型为 A 的 e 和 v作为回应?
You cannot query each object independently of the other objects in the array. If you need to be able to do this then you should use the nested datatype instead of the object data type.
然后您可以使用 inner_hits,其中根据嵌套内部对象中的匹配返回文档
索引映射:
{
"mappings": {
"properties": {
"data": {
"type": "nested"
}
}
}
}
搜索查询:
{
"query": {
"nested": {
"path": "data",
"query": {
"bool": {
"must": [
{
"match": {
"data.e": "A"
}
}
]
}
},
"inner_hits":{}
}
}
}
搜索结果:
"inner_hits": {
"data": {
"hits": {
"total": {
"value": 1,
"relation": "eq"
},
"max_score": 0.6931471,
"hits": [
{
"_index": "64705886",
"_type": "_doc",
"_id": "1",
"_nested": {
"field": "data",
"offset": 0
},
"_score": 0.6931471,
"_source": {
"e": "A",
"v": 15.0
}
}
]
}
}
}