1

我有一些文档存储在 ES 中(通过 logstash)。结果,在查询 ES 时,看起来不正确:

第一个查询(请参阅下面的查询和结果)应该(意味着)返回不包含region字段的文档。

更进一步,根据第一个查询的结果,显然有一个包含 field 的文档region,但是,第二个查询的结果应该(至少)返回一个带有 的文档region=IN,不包含任何文档。

  • 我的查询有问题吗?
  • 我该如何调查问题出在哪里?(ES 日志没有与这些查询相关的任何内容)

这是查询:

curl -X GET 'http://localhost:9200/logstash*/_search?pretty' -d '{
    "query" : {
        "match_all" : {}
    },
    filter : {
        "and" : [
            { "term" : { "type" : "xsys" } },
            { "missing" : { "field" : "region" } }
        ]
    }, size: 2
}'

结果:

{
  "took" : 40,
  "timed_out" : false,
  "_shards" : {
    "total" : 90,
    "successful" : 90,
    "failed" : 0
  },
  "hits" : {
    "total" : 5747,
    "max_score" : 1.0,
    "hits" : [ {
      "_index" : "logstash-2013.09.28",
      "_type" : "logs",
      "_id" : "UMrz9bwKQgCq__TwBT0WmQ",
      "_score" : 1.0, 
      "_source" : {
        .....
        "type":"xsys",
        ....
        "region":"IN",
        }
    }, { ....
    } ]
  }
}

此外,以下查询的结果:

curl -X GET 'http://localhost:9200/logstash*/_search?pretty' -d '{
    "query" : { "match_all" : {} },
    filter : { "term" : { "region" : "IN" } },
    size: 1
}'

是:

{
  "took" : 55,
  "timed_out" : false,
  "_shards" : {
    "total" : 90,
    "successful" : 90,
    "failed" : 0
  },
  "hits" : {
    "total" : 0,
    "max_score" : null,
    "hits" : [ ]
  }

使用以下映射:

curl -XPUT http://localhost:9200/_template/logstash_per_index -d '
{
    "template": "logstash*",
    "settings": {
        "index.query.default_field": "message",
        "index.cache.field.type": "soft",
        "index.store.compress.stored": true
    },
    "mappings": {
        "_default_": {
            "_all": { "enabled": false },
            "properties": {
                "message": { "type": "string", "index": "analyzed" },
                "@version": { "type": "string", "index": "not_analyzed" },
                "@timestamp": { "type": "date", "index": "not_analyzed" },
                "type": { "type": "string", "index": "not_analyzed" },
                ....
                "region": { "type": "string", "index": "not_analyzed" },
                ...
            }
        }
    }
}'

映射(ES 返回的 - curl -XGET 'http://localhost:9200/logstash-2013.09.28/_mapping):

{
   "logstash-2013.09.28":{
      "logs":{
         "_all":{
            "enabled":false
         },
         "properties":{
            "@timestamp":{
               "type":"date",
               "format":"dateOptionalTime"
            },
            "@version":{
               "type":"string",
               "index":"not_analyzed",
               "omit_norms":true,
               "index_options":"docs"
            },
            "message":{
               "type":"string"
            },
            "region":{
               "type":"string"
            },
            "type":{
               "type":"string",
               "index":"not_analyzed",
               "omit_norms":true,
               "index_options":"docs"
            }
         }
      },
      "_default_":{
         "_all":{
            "enabled":false
         },
         "properties":{
            "@timestamp":{
               "type":"date",
               "format":"dateOptionalTime"
            },
            "@version":{
               "type":"string",
               "index":"not_analyzed",
               "omit_norms":true,
               "index_options":"docs"
            },
            "message":{
               "type":"string"
            },
            "type":{
               "type":"string",
               "index":"not_analyzed",
               "omit_norms":true,
               "index_options":"docs"
            }
         }
      }
   }
}
4

0 回答 0