elasticsearch DLS语句

一、集群

检查集群健康状况:

GET /_cluster/health?pretty=true

检查集群设置:

PUT _cluster/settings

{ 
  "persistent" :
  { 
     "cluster.routing.rebalance.enable": "none",
       ##允许在一个节点上发生多少并发传入分片恢复。 默认为2。
       ##多数为副本
      "cluster.routing.allocation.node_concurrent_incoming_recoveries":2，
      ##允许在一个节点上发生多少并发传出分片恢复，默认为2.
       ## 多数为主分片
      "cluster.routing.allocation.node_concurrent_outgoing_recoveries":2,
       ##为上面两个的统一简写
      "cluster.routing.allocation.node_concurrent_recoveries":2,
      ##在通过网络恢复副本时，节点重新启动后未分配的主节点的恢复使用来自本地  磁盘的数据。 
     ##这些应该很快，因此更多初始主要恢复可以在同一节点上并行发生。 默认为4。
      "cluster.routing.allocation.node_initial_primaries_recoveries":4,
##允许执行检查以防止基于主机名和主机地址在单个主机上分配同一分片的多个实例。 
##默认为false，表示默认情况下不执行检查。 此设置仅适用于在同一台计算机上启动多个节点的情况。这个我的理解是如果设置为false，
##则同一个节点上多个实例可以存储同一个shard的多个副本没有容灾作用了
   "cluster.routing.allocation.same_shard.host":true
    }
    
}

查看所有索引:

GET /_cat/indices?v
GET /_cat/indices/ultiwill*   #根据索引名前缀查询

查看索引分片状态:

GET /_cat/shards?v

索引重新分配副本:

PUT /wefwe/_settings
{
  "number_of_replicas": 0
}

二、索引

创建索引:

PUT /product

设置mapping映射:

POST /product/doc/_mapping
{
  "_source": {"enabled": true},
  "dynamic": true,
  "properties" : {
    "imei" : {"type" : "text","analyzer" : "keyword","fielddata": true},
    "ispid" : {"type":"integer","ignore_malformed": true},
    "msisdn" : {"type" : "text","analyzer" : "keyword","fielddata": true},
    "maddr_s" : {"type" : "text","analyzer" : "ik_max_word","norms" : false,"fields" : {"raw" : {"type" : "keyword","doc_values":true}}},
    "maddr_p" : {"type" : "text","analyzer" : "ik_max_word","norms" : false,"fields" : {"raw" : {"type" : "keyword","doc_values":true}}},
    "maddr_c" : {"type" : "text","analyzer" : "ik_max_word","norms" : false,"fields" : {"raw" : {"type" : "keyword","doc_values":true}}},
    "netaddr_s" : {"type" : "text","analyzer" : "ik_max_word","norms" : false,"fields" : {"raw" : {"type" : "keyword","doc_values":true}}},
    "netaddr_p" : {"type" : "text","analyzer" : "ik_max_word","norms" : false,"fields" : {"raw" : {"type" : "keyword","doc_values":true}}},
    "netaddr_c" : {"type" : "text","analyzer" : "ik_max_word","norms" : false,"fields" : {"raw" : {"type" : "keyword","doc_values":true}}},
    "seraddr_s" : {"type" : "text","analyzer" : "ik_max_word","norms" : false,"fields" : {"raw" : {"type" : "keyword","doc_values":true}}},
    "seraddr_p" : {"type" : "text","analyzer" : "ik_max_word","norms" : false,"fields" : {"raw" : {"type" : "keyword","doc_values":true}}},
    "seraddr_c" : {"type" : "text","analyzer" : "ik_max_word","norms" : false,"fields" : {"raw" : {"type" : "keyword","doc_values":true}}},
    "uli" : {"type" : "text","analyzer" : "ik_max_word","norms" : false,"fields" : {"raw" : {"type" : "keyword","doc_values":true}}},
    "x_sip" : {"type" : "ip"},
    "x_dip" : {"type" : "ip"},
    "i_sport" : {"type" : "keyword","doc_values":true},
    "i_dport" : {"type" : "keyword","doc_values":true},
    "guti" : {"type" : "keyword","doc_values":true},
    "i_nsapi" : {"type" : "long","ignore_malformed": true},
    "apn" : {"type" : "text", "analyzer" : "keyword"},
    "rai" : {"type" : "text", "analyzer" : "keyword"},
    "gsnu" : {"type" : "text", "analyzer" : "keyword"},
    "teid" : {"type" : "text", "analyzer" : "keyword"},
    "endtime" : {"type" : "long","ignore_malformed": true},
    "id" : {"type" : "long"},
    "i_type" : {"type" : "text","analyzer" : "keyword"},
    "conndirect" : {"type" : "text", "analyzer" : "keyword"},
    "protocoltype" : {"type" : "text" ,"analyzer" : "keyword"},
    "i_trojan_type" : {"type" : "long","ignore_malformed": true},
    "pguti":{"type" : "text" ,"analyzer" : "keyword"},
    "sid":{"type" : "text" ,"analyzer" : "keyword"},
    "x_imsi":{"type" : "text" ,"analyzer" : "keyword","fielddata": true},
    "pteid":{"type" : "text" ,"analyzer" : "keyword"},
    "flow":{"type" : "long","ignore_malformed": true},
    "vpsfirm":{"type" : "text" ,"analyzer" : "keyword"},
    "x_begintime":{"type" : "long","ignore_malformed": true},
    "netaddr" : {"type" : "keyword","doc_values":true},
    "seraddr" : {"type" : "keyword","doc_values":true},
    "maddr" : {"type" : "keyword","doc_values":true},
    "paddr_s" : {"type" : "text","analyzer" : "ik_max_word","norms" : false,"fields" : {"raw" : {"type" : "keyword","doc_values":true}}},
    "paddr_p" : {"type" : "text","analyzer" : "ik_max_word","norms" : false,"fields" : {"raw" : {"type" : "keyword","doc_values":true}}},
    "paddr_c" : {"type" : "text","analyzer" : "ik_max_word","norms" : false,"fields" : {"raw" : {"type" : "keyword","doc_values":true}}},
    "paddr" : {"type" : "keyword","doc_values":true},


    "sshclient" : {"type" : "keyword","doc_values":true},
    "sshserver" : {"type" : "keyword","doc_values":true},
    "sshver" : {"type" : "keyword","doc_values":true},
    "b_firstpacket" : {"type" : "binary"},
    "b_firstpacket1" :  {"type" : "text", "analyzer" : "keyword"},
    "appbigt" :{"type" : "integer"},
    "appsubt" :{"type" : "integer"}
  }
}

查看索引:

GET /posts/_search

插入数据:

POST /student/_bulk
{ "index": { "_id": 1 }}
{ "name" : "liubei", "age" : 20 , "sex": "boy", "birth": "1996-01-02" , "about": "i like diaocan he girl" }
{ "index": { "_id": 2 }}
{ "name" : "guanyu", "age" : 21 , "sex": "boy", "birth": "1995-01-02" , "about": "i like diaocan" }
{ "index": { "_id": 3 }}
{ "name" : "zhangfei", "age" : 18 , "sex": "boy", "birth": "1998-01-02" , "about": "i like travel" }
{ "index": { "_id": 4 }}
{ "name" : "diaocan", "age" : 20 , "sex": "girl", "birth": "1996-01-02" , "about": "i like travel and sport" }
{ "index": { "_id": 5 }}
{ "name" : "panjinlian", "age" : 25 , "sex": "girl", "birth": "1991-01-02" , "about": "i like travel and wusong" }
{ "index": { "_id": 6 }}
{ "name" : "caocao", "age" : 30 , "sex": "boy", "birth": "1988-01-02" , "about": "i like xiaoqiao" }
{ "index": { "_id": 7 }}
{ "name" : "zhaoyun", "age" : 31 , "sex": "boy", "birth": "1997-01-02" , "about": "i like travel and music" }
{ "index": { "_id": 8 }}
{ "name" : "xiaoqiao", "age" : 18 , "sex": "girl", "birth": "1998-01-02" , "about": "i like caocao" }
{ "index": { "_id": 9 }}
{ "name" : "daqiao", "age" : 20 , "sex": "girl", "birth": "1996-01-02" , "about": "i like travel and history" }

POST /zuo/doc/_mapping
{
  "_source": {"enabled": true},
  "dynamic": true,
  "properties" : {
    "i_sport" : {"type" : "keyword"},
    "dns":{"type" : "text"},
    "vpsfirm":{"type" : "text" ,"analyzer" : "keyword"}
   
  }
}


PUT /zuo/doc/1
{ 
  "i_sport" : "zuochong", 
  "dns" : "zuochong" ,
  "vpsfirm": "zuochong"
}

删除索引:

DELETE /test_index

根据条件删除索引中数据:

POST 索引名称/文档名称/_delete_by_query   
{
  "query":{
    "term":{
      "_id":100000100
    }
  }
}

删除所有数据:

POST /索引名称/文档名称/_delete_by_query?pretty
{
    "query": {
        "match_all": {
        }
    }
}

三、查询

match匹配, term精确匹配, range范围过滤, exists包含某个字段.  all_interests自己定义的聚合名称:

GET /student/_search
{
    "query": {
      "bool":{
        "must":[
          {
         "match": {
           "about": "travel"
             }
          },
          {
            "term":{
                "sex":"boy"
            }
            
          },
          {
            "range":{
              "age":{
                "gt":16,
                "lte":25
              }
            }
            
          },
          {
            "exists":{
              "field":"age"
            }
          }
          ]
      }
     },
    "aggs": {
    "all_interests": {
      "terms": { "field": "age" }
    }
  }
}

模糊查询:    text和keyword都可以模糊查询

GET /student/_search
{"query": {
    "wildcard":{
      "name": "*li*"
    }
   
  }  
}

聚合查询: 

text的字段聚合，使用“field.keyword”

 

单字段统计聚合  类似: 

select color,sum(1) as salesNum

from Cars

group by color 

GET /student/_search
{
  "aggs": {
    "all_interests": {   自定义
      "terms": {
         "field": "age" ,
          "size": 1000
      }
    }
  }
}

按颜色统计出平均价格:

SELECT Color,AVG(Price) as '平均价格'

FROM #Cars

GROUP BY Color

GET testindex/cars/_search
{
  "size": 0,
  "aggs": {
    "s": {
      "terms": {
        "field": "color.keyword",
        "size": 10
      },
      "aggs": {
        "avg_price": {
          "avg": {
            "field": "price"
          }
        }
      }
    }
  }
}

两个字段统计聚合:

POST basic_agreement_alias/_search
{
    "aggs": {
      "aggCount": {    自定义
        "terms": {
          "field": "firstip"
        },
        "aggs": {
        "idCount": {   自定义
          "terms": {
            "field": "emlcountry.keyword"
          }
        }
      }
      }
      
    }
}

排序: 

查询地址为''北京'', 按照endtime进行降序排序desc

{
  "query": {
    "bool": {
      "must": [
        {
          "term": {
            "seraddr_p": {
              "value": "北京市"
            }
          }
        }
      ]
    }
  },
  "sort": [
    {
      "endtime": {
        "order": "desc"
      }
    }
  ]
}

注意: 只能用数字 日期进行排序

and or查询:

{
    "query": {
        "bool": {
            "must": [{
                "match_phrase": {
                    "name": "a"
                }
            }],
            "should": [{
                "match_phrase": {
                    "city": "b"
                }
            },
            {
                "match_phrase": {
                    "city": "c"
                }
            }],
            "minimum_should_match": 1
        }
    },
    "size": 5
}

实现 "name"=="a" and ("city" == "b" or "city" == "c")

高亮查询:

{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "FIELD1": "value1"
          }
        },
        {
          "match": {
            "FIELD2": "value2"
          }
        }
      ]
    }
  },
  "highlight": {
    "fields": {
      "FIELD1":{},
      "FIELD2":{}
    }
  }
}