<img src="//i.stack.imgur.com/RUiNP.png" height="16" width="18" alt="" class="sponsor tag img">elasticsearch 弹性搜索中的筛选特定字段_<img Src="//i.stack.imgur.com/RUiNP.png" Height="16" Width="18" Alt="" Class="sponsor Tag Img">elasticsearch_Kibana_Elastic Stack

elasticsearch 弹性搜索中的筛选特定字段

kibana

elasticsearch 弹性搜索中的筛选特定字段,elasticsearch,kibana,elastic-stack,elasticsearch,Kibana,Elastic Stack,我们使用ElasticSearch和Kibana来查询日志 ElasticSearch中接收的数据格式如下： { "took" : 84, "timed_out" : false, "_shards" : { "total" : 5, "successful" : 5, "skipped" : 0, "failed"

我们使用ElasticSearch和Kibana来查询日志

ElasticSearch中接收的数据格式如下：

{
  "took" : 84,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 5719,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "evtdata-2020-11",
        "_type" : "_doc",
        "_id" : "49612101596783840103434103604261455601292612965391925250.0",
        "_score" : 1.0,
        "_source" : {
          "id" : "unknown:B8-27-EB-47-B4-2A",
          "timestamp" : 1604453736242,
          "data" : [
            {
              "e" : "A",
              "v" : 15.0
            },
            {
              "e" : "B",
              "v" : 30.22
            },
            {
              "s" : "A",
              "v" : 1.4
            },
            {
              "s" : "B",
              "v" : 310
            },            {
              "s" : "C",
              "v" : 2
            }
          ],
          "drift" : -3.0
        }
      }
    }
}

我们只想得到在特定时间范围内值e=A的数据索引

  "data" : [
    {
      "e" : "A",
      "v" : 15.0
    }
]

目前，我构建的查询是：

GET /evtdata-2020-11/_search
{
  "_source": [
    "data.e",
    "data.v"
  ],
  "query": {
    "bool": {
      "must": [
        "inner",
        {
          "match": {
            "data.e": "A"
          }
        },
        {
          "range": {
            "timestamp": {
              "gte": 1604453773434,
              "lt": 1604453778451
            }
          }
        }
      ]
    }
  }
}

然而，通过上面的查询，我得到了所有e和v 有人能告诉我如何更改查询以仅在respone中获取A类型的e和v

不能独立于中的其他对象查询每个对象 . 如果您需要能够做到这一点，那么您应该使用嵌套的数据类型，而不是对象数据类型

然后可以使用where，根据嵌套内部对象中的匹配返回文档

索引映射：

{
  "mappings": {
    "properties": {
      "data": {
        "type": "nested"
      }
    }
  }
}

{
  "query": {
    "nested": {
      "path": "data",
      "query": {
        "bool": {
          "must": [
            {
              "match": {
                "data.e": "A"
              }
            }
          ]
        }
      },
    "inner_hits":{}
    }
  }
}

"inner_hits": {
          "data": {
            "hits": {
              "total": {
                "value": 1,
                "relation": "eq"
              },
              "max_score": 0.6931471,
              "hits": [
                {
                  "_index": "64705886",
                  "_type": "_doc",
                  "_id": "1",
                  "_nested": {
                    "field": "data",
                    "offset": 0
                  },
                  "_score": 0.6931471,
                  "_source": {
                    "e": "A",
                    "v": 15.0
                  }
                }
              ]
            }
          }
        }

搜索查询：

{
  "mappings": {
    "properties": {
      "data": {
        "type": "nested"
      }
    }
  }
}

{
  "query": {
    "nested": {
      "path": "data",
      "query": {
        "bool": {
          "must": [
            {
              "match": {
                "data.e": "A"
              }
            }
          ]
        }
      },
    "inner_hits":{}
    }
  }
}

"inner_hits": {
          "data": {
            "hits": {
              "total": {
                "value": 1,
                "relation": "eq"
              },
              "max_score": 0.6931471,
              "hits": [
                {
                  "_index": "64705886",
                  "_type": "_doc",
                  "_id": "1",
                  "_nested": {
                    "field": "data",
                    "offset": 0
                  },
                  "_score": 0.6931471,
                  "_source": {
                    "e": "A",
                    "v": 15.0
                  }
                }
              ]
            }
          }
        }

搜索结果：

{
  "mappings": {
    "properties": {
      "data": {
        "type": "nested"
      }
    }
  }
}

{
  "query": {
    "nested": {
      "path": "data",
      "query": {
        "bool": {
          "must": [
            {
              "match": {
                "data.e": "A"
              }
            }
          ]
        }
      },
    "inner_hits":{}
    }
  }
}

"inner_hits": {
          "data": {
            "hits": {
              "total": {
                "value": 1,
                "relation": "eq"
              },
              "max_score": 0.6931471,
              "hits": [
                {
                  "_index": "64705886",
                  "_type": "_doc",
                  "_id": "1",
                  "_nested": {
                    "field": "data",
                    "offset": 0
                  },
                  "_score": 0.6931471,
                  "_source": {
                    "e": "A",
                    "v": 15.0
                  }
                }
              ]
            }
          }
        }

您是否有机会仔细阅读我的答案，期待得到您的反馈：）