如何在输出中只从 elasticsearch 中获取一个字段?
How to get only one field from elasticsearch in the output?
{
"took": 5,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 1999,
"relation": "eq"
},
"max_score": 1.0,
"hits": [
{
"_index": "logstash-2021.01.13-000001",
"_type": "_doc",
"_id": "lVef-3YBI8ZVMz0vOphU",
"_score": 1.0,
"_source": {
"host": {
"name": "AAD-W1PF14DMMK"
},
"@timestamp": "2021-01-13T12:01:19.794Z",
"log": {
"file": {
"path": "C:\elk\test.log"
},
"offset": 158
},
"type": "test",
"tags": [
"beats_input_codec_plain_applied"
],
"ecs": {
"version": "1.6.0"
},
"agent": {
"hostname": "AAD-W1PF14DMMK",
"type": "filebeat",
"name": "AAD-W1PF14DMMK",
"id": "4aa46436-264c-40ba-a24a-17af072c8363",
"version": "7.10.1",
"ephemeral_id": "18c7451e-78a8-4806-b43f-5ebae812b533"
},
"@version": "1",
"message": "2015-10-18 18:01:48,963 INFO [main] org.apache.hadoop.mapreduce.v2.app.MRAppMaster: Executing with tokens:"
}
},
}
我想得到像
这样的输出
{ "message": "2015-10-18 18:01:48,963 INFO [main] org.apache.hadoop.mapreduce.v2.app.MRAppMaster: Executing with tokens:" }
我试过使用
GET localhost:9200/_search?filter_path=hits.hits._source
{
"_source": {
"includes": ["message"]
},
"query": {
"multi_match" : {
"query": "ERROR",
"fields": [ "message"]
}
}
}
它起作用了,但给出了一个警告,它会被默认弃用。
警告:
#!弃用:此请求访问系统索引:[.apm-agent-configuration, .apm-custom-link, .async-search, .kibana_1, .kibana_task_manager_1],但在未来的主要版本,默认情况下将阻止直接访问系统索引
替代解决方案是什么?
您的查询是正确的。该错误与您执行 _search 请求的方式有关。
而不是访问
GET localhost:9200/_search...
{ ... }
使用具体的索引名称——在您的情况下:
GET localhost:9200/logstash-2021.01.13-000001/_search...
{ ... }
提示:也支持通配符索引名称:
GET localhost:9200/logstash-2021*/_search...
{ ... }
多索引查询也是如此:
GET localhost:9200/logstash-2021*,logstash-2020*/_search...
{ ... }
{
"took": 5,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 1999,
"relation": "eq"
},
"max_score": 1.0,
"hits": [
{
"_index": "logstash-2021.01.13-000001",
"_type": "_doc",
"_id": "lVef-3YBI8ZVMz0vOphU",
"_score": 1.0,
"_source": {
"host": {
"name": "AAD-W1PF14DMMK"
},
"@timestamp": "2021-01-13T12:01:19.794Z",
"log": {
"file": {
"path": "C:\elk\test.log"
},
"offset": 158
},
"type": "test",
"tags": [
"beats_input_codec_plain_applied"
],
"ecs": {
"version": "1.6.0"
},
"agent": {
"hostname": "AAD-W1PF14DMMK",
"type": "filebeat",
"name": "AAD-W1PF14DMMK",
"id": "4aa46436-264c-40ba-a24a-17af072c8363",
"version": "7.10.1",
"ephemeral_id": "18c7451e-78a8-4806-b43f-5ebae812b533"
},
"@version": "1",
"message": "2015-10-18 18:01:48,963 INFO [main] org.apache.hadoop.mapreduce.v2.app.MRAppMaster: Executing with tokens:"
}
},
}
我想得到像
这样的输出{ "message": "2015-10-18 18:01:48,963 INFO [main] org.apache.hadoop.mapreduce.v2.app.MRAppMaster: Executing with tokens:" }
我试过使用
GET localhost:9200/_search?filter_path=hits.hits._source
{
"_source": {
"includes": ["message"]
},
"query": {
"multi_match" : {
"query": "ERROR",
"fields": [ "message"]
}
}
}
它起作用了,但给出了一个警告,它会被默认弃用。 警告:
#!弃用:此请求访问系统索引:[.apm-agent-configuration, .apm-custom-link, .async-search, .kibana_1, .kibana_task_manager_1],但在未来的主要版本,默认情况下将阻止直接访问系统索引
替代解决方案是什么?
您的查询是正确的。该错误与您执行 _search 请求的方式有关。
而不是访问
GET localhost:9200/_search...
{ ... }
使用具体的索引名称——在您的情况下:
GET localhost:9200/logstash-2021.01.13-000001/_search...
{ ... }
提示:也支持通配符索引名称:
GET localhost:9200/logstash-2021*/_search...
{ ... }
多索引查询也是如此:
GET localhost:9200/logstash-2021*,logstash-2020*/_search...
{ ... }