elasticsearch复合查询

查询最近一小时内data.@level字段为Error的日志并按date倒序排列,输出最近10条,只输出[date,message]两个字段

GET events*/_search
{
    "query": {
                "bool": {
                    "must": [
                        {
                            "query_string": {
                                "fields": ["data.@level"],
                                "query""Error"
                             
                        }
                        }
                         
                    ],
                "filter": {
                           "range": {
                      "date": {
                        "gte""now-1h",
                        "lte""now"
                      }
                    }
                }
                   
                }
                },
                "sort": [
                  {
                    "date": {
                      "order""desc",
                      "missing""_last"
                    }
                  }],
                  "_source": ["date","message"],
                  "size": 10
    }
posted @ 2019-07-04 16:39  dream_fly_info  阅读(1116)  评论(0编辑  收藏  举报