- elasticsearch/
elasticsearch 带And和Or条件的Elasticsearch查询
elasticsearch 带And和Or条件的Elasticsearch查询
我有如下的弹性数据
{
"_index": "prod",
"_type": "log",
"_id": "aa",
"_source": {
"input_type": "log",
"sourcetype": "sourcetypeapp1",
"message": "APP COMPANY|80d596f6-2082-4a1d-bcfc-740478f626ec|001 ErrorMessage: Some error"
"type": "log",
"tags": [
"beats_input_codec_plain_applied"
]
}
}
(Message : "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eA|001" AND Message:"ErrorMessage")
Or
(Message : "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eB|002" AND Message:"ErrorMessage")
Or
(Message : "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eC|003" AND Message:"ErrorMessage")
你能试试这样的东西吗
{
"query": {
"match": {
"Message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eA|001"
}
}
}
{
"query": {
"bool": {
"should": [
{
"bool": {
"must": [
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eA|001" } },
{ "match": { "message": "ErrorMessage"}}
]
}
},
{
"bool": {
"must": [
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eB|002" } },
{ "match": { "message": "ErrorMessage"}}
]
}
},
{
"bool": {
"must": [
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eC|003" } },
{ "match": { "message": "ErrorMessage"}}
]
}
}
]
}
}
}
{
"query": {
"bool": {
"must": [
{ "match": { "message": "ErrorMessage"}},
{
"bool": {
"should": [
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eA|001" } },
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eB|002" } },
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eC|003" } }
]
}
}
]
}
}
}
如何添加多个and或条件?您可以在bool查询中使用should(or)和must(and)i已尝试此查询,我没有得到正确的结果,好像任何消息包含-2082-然后都会显示出来。但我希望整个短语在整个文本中匹配,“公司| 80d596f6-2082-4a1d-bcfc-740478f626eA | 001。看起来由于连字符我尝试了这个查询,我没有得到正确的结果,好像任何包含4a1d的消息都显示出来了。但是我希望这整个短语在整个文本中匹配,“COMPANY | 80d596f6-2082-4a1d-bcfc-740478f626eA | 001”我以为您想知道如何使用multi或condition of AND conditions。如果要匹配整个文本,应使用通配符not match。Match分析您提供的文本,然后构造查询。但这取决于您如何定义模式。如果消息属性/字段未定义为index:not_analysis(参考),则无法使用通配符解决此问题。因为您的文本将被标记并保存为多个字符串,而不是一个完整的字符串。在这种情况下,您不能匹配完整的文本,因为它不在那里。您必须在一个must中编写每个部分(例如:COMPANY、80d596f6、2082等)的多个匹配查询,因为您希望它检索包含所有部分的行;I don’我不明白,你们能不能提供一个例子?在我看来,连字符是造成问题的原因,它充当了通配符。我不知道如何避免这种情况
{
"query": {
"bool": {
"should": [
{
"bool": {
"must": [
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eA|001" } },
{ "match": { "message": "ErrorMessage"}}
]
}
},
{
"bool": {
"must": [
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eB|002" } },
{ "match": { "message": "ErrorMessage"}}
]
}
},
{
"bool": {
"must": [
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eC|003" } },
{ "match": { "message": "ErrorMessage"}}
]
}
}
]
}
}
}
{
"query": {
"bool": {
"must": [
{ "match": { "message": "ErrorMessage"}},
{
"bool": {
"should": [
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eA|001" } },
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eB|002" } },
{ "match": { "message": "COMPANY|80d596f6-2082-4a1d-bcfc-740478f626eC|003" } }
]
}
}
]
}
}
}