query DSL match 查询 { "match": { "tweet": "About Search" } } 注:match查询只能就指定某个确切字段某个确切的值进行搜索,做精确匹配搜索时, 你最好用过滤语句,因为过滤语句可以缓存数据。 match_phrase 查询 { "query": { "match_phrase": { "title": "quick brown fox" } } } 注:与match相比,不会拆分查询条件 参考:https://blog.csdn.net/liuxiao723846/article/details/78365078?locationNum=2&fps=1 multi_match查询:对多个field查询 { "multi_match": { "query": "full text search", "fields": [ "title", "body" ] } } bool 查询 must: 查询指定文档一定要被包含。 filter: 和must类似,但不计分。 must_not: 查询指定文档一定不要被包含。 should: 查询指定文档,满足一个条件就返回。 POST _search { "query": { "bool" : { "must" : { "term" : { "user" : "kimchy" } }, "filter": { "term" : { "tag" : "tech" } }, "must_not" : { "range" : { "age" : { "gte" : 10, "lte" : 20 } } }, "should" : [ { "term" : { "tag" : "wow" } }, { "term" : { "tag" : "elasticsearch" } } ], "minimum_should_match" : 1, "boost" : 1.0 } } } prefix 查询:以什么字符开头 { "query": { "prefix": { "hostname": "wx" } } } wildcards 查询:通配符查询 { "query": { "wildcard": { "postcode": "W?F*HW" } } } 注:?用来匹配任意字符,*用来匹配零个或者多个字符 regexp 查询:正则表达式查询 { "query": { "regexp": { "postcode": "W[0-9].+" } } } 注: 1. 字段、词条 字段"Quick brown fox" 会产生 词条"quick","brown"和"fox" 2. prefix,wildcard以及regexp查询基于词条 --------------------------------------------------------------------- filter DSL term 过滤:精确匹配 { "query": { "term": { "age": 26 } } } terms 过滤:指定多个匹配条件 { "query": { "terms": { "status": [ 304, 302 ] } } } range 过滤 { "range": { "age": { "gte": 20, "lt": 30 } } } 范围操作符包含: gt :: 大于 gte:: 大于等于 lt :: 小于 lte:: 小于等于 exists/missing 过滤:过滤字段是否存在 { "exists": { "field": "title" } } bool过滤:合并多个过滤条件查询结果的布尔逻辑 { "bool": { "must": { "term": { "folder": "inbox" }}, "must_not": { "term": { "tag": "spam" }}, "should": [ { "term": { "starred": true }}, { "term": { "unread": true }} ] } } 注: must :: 多个查询条件的完全匹配,相当于 and。 must_not :: 多个查询条件的相反匹配,相当于 not。 should :: 至少有一个查询条件匹配, 相当于 or。
must例子,多个条件使用[] { "query": { "bool": { "must": [{ "term": { "category": "38" } }, { "range": { "time": { "gte": "1539827880", "lt": "1539827881" } } } ], "must_not": [], "should": [] } }, "from": 0, "size": 10, "sort": [], "aggs": {} }
聚合:
1. 筛选出指定时间的记录并求出sum(collection),其中collection字段为数值 { "query" : { "match" : {"time":1539827880} }, "aggs" : { "connections" : { "sum" : { "field" : "connection" } } } }
2. 筛选出时间范围内的数据然后根据category进行分类,每个类别中计算connection的总数,并根据result排序 { "query": { "range": { "time": { "gte": 1539827880, "lt": 1539827881 } } }, "aggs": { "_result": { "terms": { "field": "category",
"order": {"result":"desc"}
}, "aggs": { "result": { "sum": { "field": "connection" } } } } } }
3. 多重聚合 { "size": 0, "query": { "range": { "time": { "gte": 1539741480, "lte": 1539827880 } } }, "aggs": { "_result": { "terms": { "field": "category", "order": { "result": "desc" }, "size": 5 }, "aggs": { "result": { "sum": { "field": "connection" } }, "IPs": { "terms": { "field": "ip", "order": { "ip_result" : "desc" }, "size": 5 }, "aggs": { "ip_result": { "sum": { "field": "connection" } } } } } } } }
#DE log,先筛选type=2的日志,然后根据source_address统计repeat_times的和(即该source_address的log出现的次数),倒排 { "size": 0, "query": { "bool": { "must": [ { "term": { "type": 2 } } ] } }, "aggs": { "all_source_address": { "terms": { "field": "source_address", "order": {"repeat_times_total": "desc"} #注意:根据聚合后的字段来排序 }, "aggs": { "repeat_times_total": { "sum": {"field": "repeat_times"} } } } } }