查询最近一小时内data.@level字段为Error的日志并按date倒序排列,输出最近10条,只输出[date,message]两个字段
GET events*/_search{ "query": { "bool": { "must": [ { "query_string": { "fields": ["data.@level"], "query": "Error" } } ], "filter": { "range": { "date": { "gte": "now-1h", "lte": "now" } } } } }, "sort": [ { "date": { "order": "desc", "missing": "_last" } }], "_source": ["date","message"], "size": 10 } |