一、查询
1、无条件查询
GET oneevent_log_index/_search
2、根据时间范围查询
示例:
GET oneevent_log_index/_search
{
"query": {
"bool": {
"filter": {
"range": {
"lOccurTime": {
"gte": 1570982400000,
"lte": 1571068800000
}
}
}
}
}
}
其中gte表示开始时间,lte表示结束时间
3、约定时间范围内,按条件查询
示例:
GET oneevent_log_index/_search
{
"query": {
"bool": {
"filter": {
"range": {
"lOccurTime": {
"gte": 1572278400000,
"lte": 1572364800000
}
}
},
"must": [
{
"term": {
"cDevIp.keyword": {
"value": "10.189.15.27"
}
}
}
]
}
}
}
其中must是查询条件数组,里面可以放多个查询条件,每个查询条件用term表示,term里面用字段.keyword来指定字段,用value来赋值
4、排序组件
"sort": [
{
"lOccurTime": {
"order": "desc"
}
}
]
查询示例:
GET oneevent_log_index/_search
{
"query": {
"bool": {
"filter": {
"range": {
"lOccurTime": {
"gte": 1572278400000,
"lte": 1572364800000
}
}
},
"must": [
{
"term": {
"cDevIp.keyword": {
"value": "10.189.15.27"
}
}
}
]
}
},
"sort": [
{
"lOccurTime": {
"order": "desc"
}
}
]
}
该组件与query同级,其中desc表示倒序,asc表示顺序,例如下面查询语句:
5、单条件查询组件term
示例:
GET oneevent_log_index/_search
{
"query": {
"term": {
"cDevIp.keyword": {
"value": "10.189.15.27"
}
}
}
}
6、多条件查询组件must
一个must中包含多个term,查询示例:
GET oneevent_log_index/_search
{
"query": {
"bool": {
"must": [
{"term": {
"cDevIp.keyword": {
"value": "10.189.15.27"
}
}},
{"term": {
"ceventType.keyword": {
"value": "系统状态"
}
}}
]
}
}
}
7、嵌套查询组件nested
原始数据示例:
{
"_index": "deviceinfo",
"_type": "device_type",
"_id": "5EzJzGwBWbOlHSD34jGv",
"_score": 4.0036902,
"_source": {
"deviceTypeOneName": "安全设备",
"businessSoftware": [],
"internal": "0",
"deviceScore": "6",
"vendorChn": "启明星辰",
"physicalRegion": "ICSSEC",
"deviceTypeTwo": "20",
"companyName": null,
"deviceSn": "BH-2019-9002",
"deviceName": "启明星辰-入侵检测",
"deviceTypeTwoName": "入侵检测系统",
"deviceStatus": "0",
"industryCode": null,
"safeDefendSoftware": [],
"security": "2",
"database": [],
"usability": "4",
"systemName": "工控安全-入侵检测",
"vulList": null,
"state": null,
"sourceCity": "咸阳市",
"ipList": [
{
"type": "业务",
"ipAddr": "192.168.1.25",
"macAddr": null
}
],
"industryName": null,
"companyCode": null,
"sourceFactory": "机柜间",
"systemId": "9KV_zWwBhrq-FDsqgVfO",
"os": [],
"integrality": "3",
"deviceVersion": null,
"deviceTypeOne": "2",
"riskowner": null,
"createTime": 1566803953403,
"sourceProvince": "陕西省",
"deviceModel": "XH-2019-9002",
"isStrategy": null,
"purchaseTime": "2019-08-01T07:18:17.340Z",
"useDescribe": null,
"remarks": null,
"sourcePrefecture": "渭城区",
"otherSoftware": []
}
}
通过数据可以看到ipList为数组,数组的每个元素是一个对象,我们现在要根据这个数组中的值作为条件来查询就要使用嵌套查询了
示例:
GET deviceinfo/_search
{
"query": {
"nested": {
"path": "ipList",
"query": {
"term": {
"ipList.ipAddr.keyword": {
"value": "192.168.1.25"
}
}
}
}
}
}
path指定嵌套查询的字段,term指定到数组中的具体字段,如ipList.ipAddr
8、聚合查询
示例:
GET flow_count_index/_search
{
"size": 0,
"query": {
"range": {
"lOccurTime": {
"gte": "1568131200000",
"lte": "1568217600000"
}
}
},
"aggs": {
"flow": {
"filter": {
"term": {
"type.keyword": "flowCount"
}
},
"aggs": {
"per_count": {
"terms": {
"field": "sourceFactory.keyword"
},
"aggs": {
"sum_flow": {
"sum": {
"field": "cMsgBody.tosBytes"
}
}
}
}
}
}
}
}
##9、同时查询嵌套对象字段和非嵌套查询字段
在Elasticsearch中同时查询嵌套对象字段和非嵌套查询字段,你可以使用"bool"查询和"must"子句来组合多个查询条件。以下是一个示例代码:
GET /your_index/_search
{
"query": {
"bool": {
"must": [
{
"nested": {
"path": "your_nested_object_field",
"query": {
// 在这里定义你的嵌套对象字段查询条件
}
}
},
{
// 在这里定义你的非嵌套字段查询条件
}
]
}
}
}
在上面的示例中,我们使用了"bool"查询和"must"子句来组合嵌套对象字段查询和非嵌套字段查询。你需要将"your_index"替换为你的索引名称,"your_nested_object_field"替换为你要查询的嵌套对象字段名称。
在"must"子句中,你可以添加多个查询条件来满足你的需求。你可以在嵌套字段查询条件中使用"nested"查询,定义你的嵌套对象字段查询条件。同时,你可以在非嵌套字段查询条件中使用任何有效的查询,如"term"、“match”、"range"等。
通过使用"bool"查询和"must"子句,你可以同时查询嵌套对象字段和非嵌套查询字段,以便满足你的多个查询要求。
带参示例,查询厂商数组类型字段为空且嵌套对象产品名称数据类型字段为空:
GET cve_index/_search
{
"query": {
"bool": {
"must": [
{
"nested": {
"path": "product",
"query": {
"bool": {
"must_not": {
"exists": {
"field": "product.nameAs"
}
}
}
}
}
},
{
"script": {
"script": {
"source": "doc['firmAs.keyword'].size() == 0"
}
}
}
]
}
}
}
在根据以上条件聚合统计
GET cve_index/_search
{
"size": 1,
"query": {
"bool": {
"must": [
{
"nested": {
"path": "product",
"query": {
"bool": {
"must_not": {
"exists": {
"field": "product.nameAs"
}
}
}
}
}
},
{
"script": {
"script": {
"source": "doc['firmAs.keyword'].size() == 0"
}
}
}
]
}
},
"aggs": {
"nested_agg": {
"nested": {
"path": "product"
},
"aggs": {
"count_nameAs": {
"value_count":{
"field": "product.nameAs.keyword"
}
}
}
},
"count_firmAs": {
"value_count":{
"field": "firmAs.keyword"
}
}
}
}
##10、数据类型查询
查询非嵌套字段数据类型为空
GET cve_index/_search
{
"query": {
"bool": {
"must": [
{
"script": {
"script": {
"source": "doc['firmAs.keyword'].size() == 0"
}
}
}
]
}
}
}
查询嵌套字段数组类型为空
GET cve_index/_search
{
"query": {
"nested": {
"path": "product",
"query": {
"bool": {
"must_not": {
"exists": {
"field": "product.nameAs"
}
}
}
}
}
}
}
二、删除
1、根据id删除
DELETE flow_count_index/flow_count_type/5a14f323d4e854f2828aac979b3d855a
2、根据查询条件删除
POST oneevent_log_index/oneevent_log_type/_delete_by_query
{
"query": {
"bool": {
"filter": {
"range": {
"lOccurTime": {
"gte": 1566921600000,
"lte": 1566922200000
}
}
},
"must": [
{
"term": {
"ceventSType.keyword": {
"value": "系统关闭或宕机"
}
}
}
]
}
}
}
三、修改
1、根据ID修改
POST /deviceinfo/device_type/ytRyN2wBh6UZub_50B8K/_update
{
"script" : {
"source": "ctx._source.sourceFactory = params.sourceFactory;ctx._source.systemName = params.systemName;ctx._source.systemId = params.systemId;",
"lang": "painless",
"params" : {
"sourceFactory" : "溶脱系统机柜间",
"systemName" : "60万吨汽油加氢SIS系统",
"systemId" : "EqDfQGwBTbnewN0U62bm"
}
}
}
2、根据查询修改
POST deviceinfo_temp_index/_update_by_query
{
"script": {
"source": "ctx._source.online_state = params.status;",
"lang": "painless",
"params": {
"status": "离线"
}
},
"query": {
"bool": {
"must": [{
"term": {
"ip.keyword": {
"value": "10.1.50.242"
}
}
}]
}
}
}
扫一扫
4745
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
