elasticsearch,filter,logstash,kibana,Curl,elasticsearch,Filter,Logstash,Kibana" /> elasticsearch,filter,logstash,kibana,Curl,elasticsearch,Filter,Logstash,Kibana" />
Fatal编程技术网
  • curl/
  • 如何通过curl查询Logstash并仅返回特定字段

如何通过curl查询Logstash并仅返回特定字段

curl filter logstash kibana

如何通过curl查询Logstash并仅返回特定字段,curl,elasticsearch,filter,logstash,kibana,Curl,elasticsearch,Filter,Logstash,Kibana,现在我正在使用“match_all”查询来获取Logstash正在处理的数据。我得到的输出是作为事件一部分的每个字段,它应该是这样的。我的问题是: { "query": { "match_all" : { } }, "size": 1, "sort": [ { "@timestamp": { "order": "desc" } } ] } 如你所见,我也在整理我的结果,我总是得到最近输出的结果 以下是我的输出示例: { "took" : 1, "

现在我正在使用“match_all”查询来获取Logstash正在处理的数据。我得到的输出是作为事件一部分的每个字段,它应该是这样的。我的问题是:

{
"query": {
    "match_all" : { }
},
  "size": 1,
  "sort": [
{
 "@timestamp": {
     "order": "desc"
  }
  }
  ]
}
如你所见,我也在整理我的结果,我总是得到最近输出的结果

以下是我的输出示例:

{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 15768,
    "max_score" : null,
    "hits" : [
      {
        "_index" : "filebeat-2017.02.24",
        "_type" : "bro",
        "_id" : "AVpx-pFtiEtl3Zqhg8tF",
        "_score" : null,
        "_source" : {
          "resp_pkts" : 0,
          "source" : "/usr/local/bro/logs/current/conn.log",
          "type" : "bro",
          "id_orig_p" : 56058,
          "duration" : 848.388112,
          "local_resp" : true,
          "uid" : "CPndOf4NNf9CzTILFi",
          "id_orig_h" : "192.168.137.130",
          "conn_state" : "OTH",
          "@version" : "1",
          "beat" : {
            "hostname" : "localhost.localdomain",
            "name" : "localhost.localdomain",
            "version" : "5.2.0"
          },
          "host" : "localhost.localdomain",
          "id_resp_h" : "192.168.137.141",
          "id_resp_p" : 22,
          "resp_ip_bytes" : 0,
          "offset" : 115612,
          "orig_bytes" : 32052,
          "local_orig" : true,
          "input_type" : "log",
          "orig_ip_bytes" : 102980,
          "orig_pkts" : 1364,
          "missed_bytes" : 0,
          "history" : "DcA",
          "tunnel_parents" : [ ],
          "message" : "{\"ts\":1487969779.653504,\"uid\":\"CPndOf4NNf9CzTILFi\",\"id_orig_h\":\"192.168.137.130\",\"id_orig_p\":56058,\"id_resp_h\":\"192.168.137.141\",\"id_resp_p\":22,\"proto\":\"tcp\",\"duration\":848.388112,\"orig_bytes\":32052,\"resp_bytes\":0,\"conn_state\":\"OTH\",\"local_orig\":true,\"local_resp\":true,\"missed_bytes\":0,\"history\":\"DcA\",\"orig_pkts\":1364,\"orig_ip_bytes\":102980,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[]}",
          "tags" : [
            "beats_input_codec_plain_applied"
          ],
          "@timestamp" : "2017-02-24T21:15:29.414Z",
          "resp_bytes" : 0,
          "proto" : "tcp",
          "fields" : {
            "sensorType" : "networksensor"
          },
          "ts" : 1.487969779653504E9
        },
        "sort" : [
          1487970929414
        ]
      }
    ]
  }
}
如您所见,在外部应用程序中需要处理大量的输出(用C#编写,因此所有这些字符串上的垃圾收集都是大量的),而我并不需要这些

我的问题是,如何设置查询,以便只获取所需的字段

对于5.x,有一个更改允许您执行
\u源代码
过滤。这方面的文档如下所示:

{ 
 "query": {
   "match_all" : { }
 },
 "size": 1,
 "_source": ["a","b"],
 ...

  {
  "took": 9,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "failed": 0
  },
  "hits": {
    "total": 2077,
    "max_score": 1,
    "hits": [
      {
        "_index": "xxx",
        "_type": "xxx",
        "_id": "xxxx",
        "_score": 1,
        "fields": {
          "a": [
            0
          ],
          "b": [
            "xyz"
          ]
        }
      }
    ]
  }
}
结果如下:

{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 1,
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "xxx",
        "_type" : "xxx",
        "_id" : "xxx",
        "_score" : 1.0,
        "_source" : {
          "a" : 1,
          "b" : "2"
        }
      }
    ]
  }
}
对于5之前的版本,可以使用fields参数执行此操作:

查询可以在查询的根级别传递
,“字段”:[“字段1”,“字段2”…]
。它返回的格式会有所不同,但会起作用

{ 
"query": {
  "match_all" : { }
},
"size": 1,
"fields": ["a","b"],
...
这将产生如下输出:

{ 
 "query": {
   "match_all" : { }
 },
 "size": 1,
 "_source": ["a","b"],
 ...

  {
  "took": 9,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "failed": 0
  },
  "hits": {
    "total": 2077,
    "max_score": 1,
    "hits": [
      {
        "_index": "xxx",
        "_type": "xxx",
        "_id": "xxxx",
        "_score": 1,
        "fields": {
          "a": [
            0
          ],
          "b": [
            "xyz"
          ]
        }
      }
    ]
  }
}
字段始终是数组(自1.0 API以来),没有任何方法可以更改,因为Elasticsearch固有的多值感知功能。

对于5.x,有一个更改允许您执行
\u source
过滤。这方面的文档如下所示:

{ 
 "query": {
   "match_all" : { }
 },
 "size": 1,
 "_source": ["a","b"],
 ...

  {
  "took": 9,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "failed": 0
  },
  "hits": {
    "total": 2077,
    "max_score": 1,
    "hits": [
      {
        "_index": "xxx",
        "_type": "xxx",
        "_id": "xxxx",
        "_score": 1,
        "fields": {
          "a": [
            0
          ],
          "b": [
            "xyz"
          ]
        }
      }
    ]
  }
}
结果如下:

{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 1,
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "xxx",
        "_type" : "xxx",
        "_id" : "xxx",
        "_score" : 1.0,
        "_source" : {
          "a" : 1,
          "b" : "2"
        }
      }
    ]
  }
}
对于5之前的版本,可以使用fields参数执行此操作:

查询可以在查询的根级别传递
,“字段”:[“字段1”,“字段2”…]
。它返回的格式会有所不同,但会起作用

{ 
"query": {
  "match_all" : { }
},
"size": 1,
"fields": ["a","b"],
...
这将产生如下输出:

{ 
 "query": {
   "match_all" : { }
 },
 "size": 1,
 "_source": ["a","b"],
 ...

  {
  "took": 9,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "failed": 0
  },
  "hits": {
    "total": 2077,
    "max_score": 1,
    "hits": [
      {
        "_index": "xxx",
        "_type": "xxx",
        "_id": "xxxx",
        "_score": 1,
        "fields": {
          "a": [
            0
          ],
          "b": [
            "xyz"
          ]
        }
      }
    ]
  }
}
字段始终是数组(自1.0 API以来),没有任何方法可以更改,因为Elasticsearch本身就具有多值意识。

运行5.2时,我实际上从中得到一个错误:
code
{“error”:{“root\u cause”:[{“type”:“parsing\u exception”,“reason”:“字段[字段]不再支持,请使用[stored_fields]检索存储字段或_SourceFiltering(如果字段未存储),“line”:6,“col”:13}“status”:400}
code
您是否尝试使用
存储字段
而不是
字段
(我不知道对5.x api的更改)我这样做了,我只得到了没有字段的输出。我的答案是5.x,非常感谢!你也可以做“ecludes”和“includes”来更具体地说,这是运行5.2的文档,我实际上从中得到了一个错误:
code
{“error”:{“root\u cause”:[{“type”:“parsing\u exception”,“原因”:“不再支持字段[fields],请使用[stored_fields]检索存储字段或_SourceFiltering(如果字段未存储)”,“line”:6,“col”:13}“status”:400}
code
您是否尝试使用
stored_fields
而不是
fields
(我不知道对5.x api的更改)我知道了,我只是得到了输出,没有字段支持我的答案来解决这两个5.x问题,非常感谢!你也可以做“ecludes”和“includes”来获得更具体的内容,这是相关的文档