天天看点
返回

20.ELK实时日志分析平台之Elasticsearch 查询简介

转载*请注明原始出处:http://blog.csdn.net/a464057216/article/details/50917500

后续此博客不再更新,欢迎大家搜索关注微信公众号“测开之美”,测试开发工程师技术修炼小站,持续学习持续进步。

20.ELK实时日志分析平台之Elasticsearch 查询简介

接下来我们在模拟的大量数据中实战一番,从这里下载下来压缩包,解压后导入系统:

$ curl -XPOST 'localhost:9200/bank/account/_bulk?pretty'--data-binary "@accounts.json"

然后查询下系统索引情况:

$ curl 'localhost:9200/_cat/indices?v'
health status index    pri rep docs.count docs.deleted store.size pri.store.size
yellow open   bank       5   1       1000            0    450.3kb        450.3kb
yellow open   customer   5   1          1            0      3.9kb          3.9kb

说明我们的bank索引中1k个document全部导入成功了。

执行Elasticsearch的查询有两种方法,一种是向REST URI传递参数,另一种是将查询条件封装在REST请求的body中。

使用REST URI的话,可以使用_search接口,比如查询customer索引下的所有document,可以使用:

$ curl 'localhost:9200/customer/_search?q=*&pretty'
{
  "took" : 22,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 1,
    "max_score" : 1.0,
    "hits" : [ {
      "_index" : "customer",
      "_type" : "external",
      "_id" : "1",
      "_score" : 1.0,
      "_source" : {
        "name" : "mars loo",
        "age" : 25
      }
    } ]
  }
}

其中

  • took:Elasticsearch执行查询的时间(ms)
  • time_out:查询是否超时
  • _shards:在多少个shards上执行的查询,包括成功和失败的情况。
  • hits:查询结果
  • hits.total:一共有多少个document命中查询条件
  • hits.hits:需要显示的document

如果使用为请求body填充内容的方法,可以使用如下请求:

$ curl -XPOST 'localhost:9200/customer/_search?pretty' -d '
> {
> "query":{"match_all": {}}
> }'
{
  "took" : 164,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 1,
    "max_score" : 1.0,
    "hits" : [ {
      "_index" : "customer",
      "_type" : "external",
      "_id" : "1",
      "_score" : 1.0,
      "_source" : {
        "name" : "mars loo",
        "age" : 25
      }
    } ]
  }
}

在详细介绍Elasticsearch采用的这个查询请求body的语法之前,我们先看一下刚刚的body内容:

{
    "query": {"match_all": {}}
}

query表示我们使用_search API做查询动作,match_all是一种遍历所有document的查询,默认显示10个结果(如果结果大于10个的话)。

也可以限制查询结果的显示数量,比如(size的默认值是10):

$ curl 'localhost:9200/bank/_search?pretty' -d '
> {
> "query":{"match_all": {}},
> "size": 3
> }'
{
  "took" : 185,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 1000,
    "max_score" : 1.0,
    "hits" : [ {
      "_index" : "bank",
      "_type" : "account",
      "_id" : "25",
      "_score" : 1.0,
      "_source" : {
        "account_number" : 25,
        "balance" : 40540,
        "firstname" : "Virginia",
        "lastname" : "Ayala",
        "age" : 39,
        "gender" : "F",
        "address" : "171 Putnam Avenue",
        "employer" : "Filodyne",
        "email" : "[email protected]",
        "city" : "Nicholson",
        "state" : "PA"
      }
    }, {
      "_index" : "bank",
      "_type" : "account",
      "_id" : "44",
      "_score" : 1.0,
      "_source" : {
        "account_number" : 44,
        "balance" : 34487,
        "firstname" : "Aurelia",
        "lastname" : "Harding",
        "age" : 37,
        "gender" : "M",
        "address" : "502 Baycliff Terrace",
        "employer" : "Orbalix",
        "email" : "[email protected]",
        "city" : "Yardville",
        "state" : "DE"
      }
    }, {
      "_index" : "bank",
      "_type" : "account",
      "_id" : "99",
      "_score" : 1.0,
      "_source" : {
        "account_number" : 99,
        "balance" : 47159,
        "firstname" : "Ratliff",
        "lastname" : "Heath",
        "age" : 39,
        "gender" : "F",
        "address" : "806 Rockwell Place",
        "employer" : "Zappix",
        "email" : "[email protected]",
        "city" : "Shaft",
        "state" : "ND"
      }
    } ]
  }
}

某些情况下我们需要对查询结果做分页显示,比如显示第11~12个结果,可以使用如下请求(from的默认值是0):

$ curl -XPOST 'localhost:9200/bank/_search?pretty' -d '
> {
> "query":{"match_all":{}},
> "from":10,
> "size":2
> }'
{
  "took" : 5,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 1000,
    "max_score" : 1.0,
    "hits" : [ {
      "_index" : "bank",
      "_type" : "account",
      "_id" : "227",
      "_score" : 1.0,
      "_source" : {
        "account_number" : 227,
        "balance" : 19780,
        "firstname" : "Coleman",
        "lastname" : "Berg",
        "age" : 22,
        "gender" : "M",
        "address" : "776 Little Street",
        "employer" : "Exoteric",
        "email" : "[email protected]",
        "city" : "Eagleville",
        "state" : "WV"
      }
    }, {
      "_index" : "bank",
      "_type" : "account",
      "_id" : "253",
      "_score" : 1.0,
      "_source" : {
        "account_number" : 253,
        "balance" : 20240,
        "firstname" : "Melissa",
        "lastname" : "Gould",
        "age" : 31,
        "gender" : "M",
        "address" : "440 Fuller Place",
        "employer" : "Buzzopia",
        "email" : "[email protected]",
        "city" : "Lumberton",
        "state" : "MD"
      }
    } ]    
  }
}

细心的人可能会注意到,查询结果并不是按照_id字段排序的,如果要对查询结果进行排序,可以使用如下方法(按照balance字段降序排列):

curl -XPOST 'localhost:9200/bank/_search?pretty' -d '
{
  "query": { "match_all": {} },
  "sort": { "balance": { "order": "desc" } }
}'
如果觉得我的文章对您有帮助,欢迎关注我(CSDN:Mars Loo的博客)或者为这篇文章点赞,谢谢!
elk elasticsearch 数据 实时日志分析
上一篇: linux tomcat 实时日志分析,配置filebeat收集两种tomcat日志的方法
下一篇: docker-compose观察实时日志_Linux系统配置及服务管理 第十一章 日志管理

继续阅读