Kibana Devtool 常用命令
1、计算总数
{ "size": 0, "aggs": { "count_nameCount": { "terms": { "field": "data.id" } } } }
2、查询所有
GET /logstandard_data/logstandard_data/_search { "query": { "match_all": {} } }
3、查询某个字段匹配
GET /logstandard_data/logstandard_data/_search { "query" : { "bool" : { "must" : [ {"match": {"data.bsm": 574599426}} ] } } }
4、查询某个字段,按时间倒叙排序
GET /logstandard_data/logstandard_data/_search { "query": { "bool": { "must": [ { "match": { "data.interfaceCode": 1341 } } ] } }, "sort": [ { "data.requestTime.keyword": { "order": "desc" } } ] }
5、时间范围查询
GET /logstandard_data/logstandard_data/_search { "query": { "bool": { "must": [ { "match": { "data.interfaceCode": 1341 } }, { "match": { "resource.status": "0" } } ], "filter":[ {"range": { "data.requestTime": { "gte": 1594915200000, "lte": 1595001599000 } } } ] } }, "sort": [ { "data.requestTime.keyword": { "order": "desc" } } ] }
6、创建索引
PUT test
上面没有设置分片,就默认主分片为5,副分片为1
设置分片闯将索引
PUT /test { "settings":{ "index":{ "number_of_shards":3, "number_of_replicas":1 } } }
number_of_shards是主分片的数量;number_of_replicas是副本分片的数量(这里提一下,number_of_replicas副本分片的数量是面向主分片的,所以这个值为1时代表每一个主分片有一个副本分片)
引用:https://www.cnblogs.com/progor/p/11548269.html#%E5%88%9B%E5%BB%BA%E7%B4%A2%E5%BC%95
7、设置索引数据中格式
POST /book/novel/_mappings { "novel":{ "properties": { "word_count": { "type": "integer" }, "author": { "type": "keyword" }, "title": { "type": "text" } } } }
book为索引名,novel为type类型
字段数据类型:请查看https://www.cnblogs.com/chy18883701161/p/12723658.html
设置日期的格式可以
PUT my_index { "mappings": { "_doc": { "properties": { "updated_date": { "type": "date", "format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis" } } } } }
设置对象中包含对象的类型
{ "properties": { "region": { "type": "keyword" }, "manager": { "properties": { "age": {"type": "short"}, "name": { "properties": { "first": {"type": "keyword"}, "last": {"type": "text"} } } } } } }
8、插入数据
POST indextest001/product { "title": "test title 001", "description": "this is a random desc ", "price": 22.6, "onSale": "true", "type": 2, "createDate": "2018-01-12" }
9、批量删除
POST /ailpha-saas-hiddendanger*/_delete_by_query { "query": { "bool": { "must": [ { "term": { "riskLevel": { "value": "" } } } ] } } }
10、批量更新
POST /ailpha-saas-securityevent-000001/_doc/_update_by_query { "script":{ "source":"ctx._source['discoverFactory']=\"中国电子云\";" }, "query": { "term": { "discoverFactory": "安恒信息" } } }
11、判断字段是否存在
GET es_test/_search
{
"query": {
"exists": {
"field": "user"
}
}
}
11、判断字段是否为空字符串或者不存在
GET /ailpha-securityalarm-*/_search { "query": { "bool": { "must": [ { "bool": { "should": [ { "term": { "hiddenDangerId": { "value": "" } } }, { "bool": { "must_not": [ { "exists": { "field": "hiddenDangerId" } } ] } } ] } } ] } } }
12、根据脚本聚合查询
{ "query": { "bool": { "must": [ { "terms": { "destIp": [ "2.0.0.30", "2.0.0.0", "http://service.odps.aliyun.com/api", "2.0.0.39" ], "boost": 1.0 } }, { "terms": { "destPort": [ "11", "801" ], "boost": 1.0 } }, { "terms": { "dbName": [ "bigdata-web2", "bigdata", "bigdata_web", "bigdata-web", "dev", "dsc", "bigdat", "flowable", "baas_monitor", "datasecurity" ], "boost": 1.0 } }, { "range": { "statisticTime": { "from": 1681315200, "to": 1681919999, "include_lower": true, "include_upper": true, "boost": 1.0 } } } ], "adjust_pure_negative": true, "boost": 1.0 } }, "aggregations": { "group_by_key": { "terms": { "script": { "source": "doc['destIp'].value + '|' + doc['destPort'].value + '|' + doc['dbName'].value + '|' + doc['tableName'].value + '|' + doc['fieldName'].value", "lang": "painless" }, "size": 10, "min_doc_count": 1, "shard_min_doc_count": 0, "show_term_doc_count_error": false, "order": [ { "_count": "desc" }, { "_key": "asc" } ] }, "aggregations": { "sum_visit_count": { "sum": { "field": "visitCount" } } } } } }
13、添加嵌套类型字段
PUT /ailpha-ds-db_ip_visit_statistic/_doc/_mapping { "properties": { "dataTag": { "type": "nested" } } }
PUT /ailpha-ds-db_ip_visit_statistic/_doc/_mapping { "properties": { "dataTag": { "type": "nested", "properties":{ "tag":{ "type" : "keyword" }, "visitCount":{ "type" : "keyword" }, "visitVolume":{ "type" : "keyword" } } } } }
14、嵌套聚合查询
GET /ailpha-ds-api_user_visit_statistic/_search { "aggregations": { "group_by_key": { "nested": { "path": "dataTag" }, "aggregations": { "group_by_tag": { "terms": { "field": "dataTag.tag", "size": 10 }, "aggs": { "sum_visit_vount": { "sum": { "field": "dataTag.visitCount" } } } } } } } }
15、创建生命周期
//设定索引模板 PUT /_template/article_ilm_template { "index_patterns":[ "article*"(索引匹配规则,满足article为前缀的索引以此模板创建,这个要写好,瞎写或者写复杂了容易导致索引找不到模板) ], "aliases": { "article-template": {}(设置要与索引关联的别名。此别名不同于索引别名) }, "settings":{ "number_of_shards":9,(主分片数) "number_of_replicas":1,(副本数) "index.lifecycle.name":"article_ilm_policy",(规定索引遵从哪个生命周期) "index.lifecycle.rollover_alias":"article",(规定rollover索引别名) "index.routing.allocation.include.box_type":"hot",(让所有符合命名规则索引的 Shard 都将被分配到 Hot Nodes 节点上,如果不需要指定分配,可以去掉) }, "mappings":{ "properties":{ "id":{ "type":"integer" }, "appChannel":{ "type":"long" }, "channleId":{ "type":"integer" }, "content":{ "type":"text", "index":false, "copy_to":[ "fulltext" ] }, "createTime":{ "type":"date", "format":"yyyy-MM-dd'T'HH:mm:ss.SSSZZ||yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis" }, "wordCount":{ "type":"keyword", "index":false } } } }
16、创建模板
//设定索引模板 PUT /_template/article_ilm_template { "index_patterns":[ "article*"(索引匹配规则,满足article为前缀的索引以此模板创建,这个要写好,瞎写或者写复杂了容易导致索引找不到模板) ], "aliases": { "article-template": {}(设置要与索引关联的别名。此别名不同于索引别名) }, "settings":{ "number_of_shards":9,(主分片数) "number_of_replicas":1,(副本数) "index.lifecycle.name":"article_ilm_policy",(规定索引遵从哪个生命周期) "index.lifecycle.rollover_alias":"article",(规定rollover索引别名) "index.routing.allocation.include.box_type":"hot",(让所有符合命名规则索引的 Shard 都将被分配到 Hot Nodes 节点上,如果不需要指定分配,可以去掉) }, "mappings":{ "properties":{ "id":{ "type":"integer" }, "appChannel":{ "type":"long" }, "channleId":{ "type":"integer" }, "content":{ "type":"text", "index":false, "copy_to":[ "fulltext" ] }, "createTime":{ "type":"date", "format":"yyyy-MM-dd'T'HH:mm:ss.SSSZZ||yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis" }, "wordCount":{ "type":"keyword", "index":false } } } }
17、使滚动策略立即生效
POST article(别名)/_rollover/ { "conditions": { "max_docs": 2 } } 或者 POST article(别名)/_rollover/article-05(指定rollover后的索引名称) { "conditions": { "max_docs": 50000000 } } 或者强行rollover POST article(别名)/_rollover/
