ES-增删改查
带你玩转ES增删改查
写作目的
供想了解ES数据操作的伙伴学习ES的CRUD操作。
测试环境
ES7.8.1 postman
创建索引库
// PUT请求
localhost:9200/test_alert
{
"mappings": {
"properties": {
"src_ip": {
"type": "ip"
},
"src_port": {
"type": "integer"
},
"domain": {
"type": "text"
},
"ip_type": {
"type": "byte"
},
"protocol": {
"type": "short"
},
"category": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"create_time": {
"type": "date"
},
"ioc_threat_tag": {
"type": "integer"
},
"user_id": {
"type": "long"
}
}
}
}
===返回===
{
"acknowledged": true,
"shards_acknowledged": true,
"index": "test_alert1"
}
查看索引库结构
// GET请求
localhost:9200/test_alert/_mapping
====返回====
{
"version": 3,
"mapping_version": 1,
"settings_version": 1,
"aliases_version": 1,
"routing_num_shards": 1024,
"state": "open",
"settings": {
"index": {
"creation_date": "1676344367294",
"number_of_shards": "1",
"number_of_replicas": "1",
"uuid": "l06g5nl8QiWCwxqbbO_gaQ",
"version": {
"created": "7080199"
},
"provided_name": "test_alert"
}
},
"mappings": {
"_doc": {
"properties": {
"src_ip": {
"type": "ip"
},
"src_port": {
"type": "integer"
},
"protocol": {
"type": "short"
},
"create_time": {
"type": "date"
},
"user_id": {
"type": "long"
},
"domain": {
"type": "text"
},
"ioc_threat_tag": {
"type": "integer"
},
"category": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"ip_type": {
"type": "byte"
}
}
}
},
"aliases": [],
"primary_terms": {
"0": 1
},
"in_sync_allocations": {
"0": [
"JW63ZMQRT9W7kSrKAL-Wcw"
]
},
"rollover_info": {}
}
删除索引库
指定索引库删除
//DELETE请求
http://127.0.0.1:9200/test_alert
===返回===
{
"acknowledged": true
}
批量删除
http://127.0.0.1:9200/test_alert*
===返回===
{
"acknowledged": true
}
新增数据
不指定id
自动生成的id,长度为20个字符,URL安全,base64编码,GUID,分布式系统并行生成时不可能会发生冲突,
GUID:GUID算法,可保证在分布式的环境下,不同节点同一时间创建的 _id 一定是不冲突的。
// POST请求
http://127.0.0.1:9200/test_alert/_doc
{
"src_ip":"1.1.1.1",
"src_port": 80,
"domain":"www.juminfo.com",
"ip_type":4,
"protocol":1,
"createTime":"2022-12-12 18:18:18",
"category":18888.0,
"ioc_threat_tag":[1,2,3,4],
"user_id":1
}
===返回===
{
"_index": "test_alert",
"_type": "_doc",
"_id": "jIjwTYYBma4deQZeF0Y3", // es会随机生成一个id
"_version": 1,
"result": "created",
"_shards": {
"total": 2,
"successful": 1,
"failed": 0
},
"_seq_no": 0,
"_primary_term": 1
}
指定id
// POST请求
http://127.0.0.1:9200/test_alert/_doc/1
{
"src_ip":"2.2.2.2",
"src_port": 80,
"domain":"www.jira.com",
"ip_type":4,
"protocol":1,
"createTime":"2023-02-12 18:18:18",
"category":18888.0,
"ioc_threat_tag":[1,2,3,4],
"user_id":2
}
===返回===
{
"_index": "test_alert",
"_type": "_doc",
"_id": "1", // 数据的id为我们自定义的id
"_version": 1,
"result": "created",
"_shards": {
"total": 2,
"successful": 1,
"failed": 0
},
"_seq_no": 1,
"_primary_term": 1
}
修改数据
PUT只会将json数据都进行替换, POST只会更新相同字段的值
PUT与DELETE都是幂等性操作, 即不论操作多少次, 结果都一样
【PUT】全量修改
// PUT请求
http://127.0.0.1:9200/test_alert/_doc/1
{
"src_ip":"3.3.3.3",
"src_port": 80
}
===返回====
{
"_index": "test_alert",
"_type": "_doc",
"_id": "1",
"_version": 2, // 每次数据修改,版本+1
"result": "updated",
"_shards": {
"total": 2,
"successful": 1,
"failed": 0
},
"_seq_no": 2,
"_primary_term": 1
}
// PUT请求 数据恢复
http://127.0.0.1:9200/test_alert/_doc/1
{
"src_ip":"2.2.2.2",
"src_port": 80,
"domain":"www.jira.com",
"ip_type":4,
"protocol":1,
"createTime":"2023-02-12 18:18:18",
"category":18888.0,
"ioc_threat_tag":[1,2,3,4],
"user_id":2
}
===返回===
{
"_index": "test_alert",
"_type": "_doc",
"_id": "1",
"_version": 3, // 每次数据修改,版本+1
"result": "updated",
"_shards": {
"total": 2,
"successful": 1,
"failed": 0
},
"_seq_no": 3,
"_primary_term": 1
}
【POST】局部修改
// POST请求
http://127.0.0.1:9200/test_alert/_update/1
{
"doc": {
"src_ip": "8.8.8.8"
}
}
===返回===
{
"_index": "test_alert",
"_type": "_doc",
"_id": "1",
"_version": 4, // 每次数据修改,版本+1
"result": "updated",
"_shards": {
"total": 2,
"successful": 1,
"failed": 0
},
"_seq_no": 4,
"_primary_term": 1
}
【POST】修改文档-追加值
http://127.0.0.1:9200/test_alert/_update_by_query
// 索引库里追加字段和字段值,如下表示,更新test_alert索引库所有符合条件的文档追加port字段,值为8443
{
"script": {
"source": "ctx._source.port = 8080",
"lang": "painless"
},
"query": {
"bool": {
"must_not": [
{
"exists": {
"field": "port"
}
}
]
}
}
}
===返回====
{
"took": 107,
"timed_out": false,
"total": 2,
"updated": 2,
"deleted": 0,
"batches": 1,
"version_conflicts": 0,
"noops": 0,
"retries": {
"bulk": 0,
"search": 0
},
"throttled_millis": 0,
"requests_per_second": -1,
"throttled_until_millis": 0,
"failures": []
}
【POST】修改文档-修改指定字段值
http://127.0.0.1:9200/test_alert/_update_by_query
//根据条件更新索引库字段值
{
"script": {
"source": "ctx._source.port = 8080",
"lang": "painless"
},
"query": {
"match": {
"src_ip": "8.8.8.8"
}
}
}
====返回====
{
"took": 26,
"timed_out": false,
"total": 1,
"updated": 1,
"deleted": 0,
"batches": 1,
"version_conflicts": 0,
"noops": 0,
"retries": {
"bulk": 0,
"search": 0
},
"throttled_millis": 0,
"requests_per_second": -1,
"throttled_until_millis": 0,
"failures": []
}
【POST】修改索引库字段类型
// POST请求
localhost:9200/test_alert/_mapping
{
"properties": {
"domain": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
===返回====
{
"acknowledged": true
}
改完我们再查看以下索引库结构
// GET请求
localhost:9200/test_alert/_mapping
{
"version": 5,
"mapping_version": 3,
"settings_version": 1,
"aliases_version": 1,
"routing_num_shards": 1024,
"state": "open",
"settings": {
"index": {
"creation_date": "1676346977182",
"number_of_shards": "1",
"number_of_replicas": "1",
"uuid": "UQGRlwAsRkaaoKKCXJRFwQ",
"version": {
"created": "7080199"
},
"provided_name": "test_alert"
}
},
"mappings": {
"_doc": {
"properties": {
"src_ip": {
"type": "ip"
},
"src_port": {
"type": "integer"
},
"protocol": {
"type": "short"
},
"create_time": {
"type": "date"
},
"createTime": {
"type": "text",
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
}
},
"user_id": {
"type": "long"
},
"domain": {
"type": "text",
"fields": {
"keyword": { // 注意这里,domain多了一个keyword类型
"ignore_above": 256,
"type": "keyword"
}
}
},
"ioc_threat_tag": {
"type": "integer"
},
"category": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"ip_type": {
"type": "byte"
}
}
}
},
"aliases": [],
"primary_terms": {
"0": 1
},
"in_sync_allocations": {
"0": [
"sPz6Ct2RSgiPZGxaaS__7A"
]
},
"rollover_info": {}
}
删除数据
删除文档-根据id
// DELETE请求
http://127.0.0.1:9200/test_alert/_doc/3
===返回===
{
"_index": "test_alert",
"_type": "_doc",
"_id": "3",
"_version": 3,
"result": "deleted",
"_shards": {
"total": 2,
"successful": 1,
"failed": 0
},
"_seq_no": 4,
"_primary_term": 1
}
根据搜索条件删除
先模拟一些数据
PS: _delete_by_query在开始处理时时获取索引的快照,并使用内部版本控制删除它所查找到的内容。这意味着如果文档在query和处理删除之间发生变化,会报冲突错误。当版本匹配时文档被删除。
执行删除ip_type为0的记录
// POST请求
http://127.0.0.1:9200/test_alert/_delete_by_query
{
"query":{
"match":{
"ip_type":0
}
}
}
===返回===
{
"took": 26,
"timed_out": false,
"total": 3,
"deleted": 3,
"batches": 1,
"version_conflicts": 0,
"noops": 0,
"retries": {
"bulk": 0,
"search": 0
},
"throttled_millis": 0,
"requests_per_second": -1,
"throttled_until_millis": 0,
"failures": []
}
清空索引库
// POST请求
http://127.0.0.1:9200/test_alert/_delete_by_query
{
"query": {
"match_all": {}
}
}
===返回====
{
"took": 14,
"timed_out": false,
"total": 2,
"deleted": 2,
"batches": 1,
"version_conflicts": 0,
"noops": 0,
"retries": {
"bulk": 0,
"search": 0
},
"throttled_millis": 0,
"requests_per_second": -1,
"throttled_until_millis": 0,
"failures": []
}
模糊匹配清空索引库
再创建一个test_alert1索引库,用于测试模糊请求操作。
// POST请求
http://127.0.0.1:9200/test_alert*/_delete_by_query
{
"query": {
"match_all": {}
}
}
===返回===
{
"took": 25,
"timed_out": false,
"total": 6,
"deleted": 6,
"batches": 1,
"version_conflicts": 0,
"noops": 0,
"retries": {
"bulk": 0,
"search": 0
},
"throttled_millis": 0,
"requests_per_second": -1,
"throttled_until_millis": 0,
"failures": []
}
查看测试数据
// GET请求
http://127.0.0.1:9200/test_alert/_search
{
"query":{
"match":{
"ip_type":0
}
}
}
=====返回====
{
"took": 2,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 3,
"relation": "eq"
},
"max_score": 1,
"hits": [
{
"_index": "test_alert",
"_type": "_doc",
"_id": "4",
"_score": 1,
"_source": {
"src_ip": "1.1.1.1",
"src_port": 80,
"domain": "www.juminfo.com",
"ip_type": 0,
"protocol": 1,
"createTime": "2022-12-12 18:18:18",
"category": 18888,
"ioc_threat_tag": [
1,
2,
3,
4
],
"user_id": 1
}
},
{
"_index": "test_alert",
"_type": "_doc",
"_id": "5",
"_score": 1,
"_source": {
"src_ip": "1.1.1.1",
"src_port": 80,
"domain": "www.juminfo.com",
"ip_type": 0,
"protocol": 1,
"createTime": "2022-12-12 18:18:18",
"category": 18888,
"ioc_threat_tag": [
1,
2,
3,
4
],
"user_id": 1
}
},
{
"_index": "test_alert",
"_type": "_doc",
"_id": "6",
"_score": 1,
"_source": {
"src_ip": "1.1.1.1",
"src_port": 80,
"domain": "www.juminfo.com",
"ip_type": 0,
"protocol": 1,
"createTime": "2022-12-12 18:18:18",
"category": 18888,
"ioc_threat_tag": [
1,
2,
3,
4
],
"user_id": 1
}
}
]
}
}
蓝闪
