0

TL;DR:在具有lte条件的日期上使用范围过滤器永远不会返回该日期的记录。

在以下代码段中,重点关注该@timestamp字段。

询问:

POST logstash-*/logs/_search
  {
    "filter": {
      "range": {
        "@timestamp": {
          "gte": null,
          "lte": "2015-08-31T15:00:07.397Z",
          "format" : "date_time"
        }
      }
    },
    "size": 20,
    "from": 1,
    "sort": [
      {
        "@timestamp": {
          "order": "desc"
        }
      }
    ],
    "fields": [
      "*",
      "@timestamp"
    ]
 }

查询结果:

{
   "took": 2,
   "timed_out": false,
   "_shards": {
      "total": 5,
      "successful": 5,
      "failed": 0
   },
   "hits": {
      "total": 586,
      "max_score": null,
      "hits": [
         {
            "_index": "logstash-2015.08.31",
            "_type": "logs",
            "_id": "AU-ERb3Ndl1LVbEg-Dnb",
            "_score": null,
        "fields": {
           "@timestamp": [
              "2015-08-31T15:00:06.455Z"
           ]
        },
        "sort": [
           1441033206455
        ]
     }, (more hits...)

下一步:

@timestamp从第一个结果 ( "2015-08-31T15:00:06.455Z") 中获取值,并将其放在同一查询中的lte键下。

增强查询:

POST logstash-*/logs/_search
  {
    "filter": {
      "range": {
        "@timestamp": {
          "gte": null,
          "lte": "2015-08-31T15:00:06.455Z",
          "format" : "date_time"
        }
      }
    },
    "size": 20,
    "from": 1,
    "sort": [
      {
        "@timestamp": {
          "order": "desc"
        }
      }
    ],
    "fields": [
      "*",
      "@timestamp"
    ]
 }

增强查询结果:

{
       "took": 6,
       "timed_out": false,
       "_shards": {
          "total": 5,
          "successful": 5,
          "failed": 0
   },
   "hits": {
      "total": 585,
      "max_score": null,
      "hits": [
         {
            "_index": "logstash-2015.08.31",
            "_type": "logs",
            "_id": "AU-ERbH6dl1LVbEg-Dna",
            "_score": null,
            "fields": {
               "@timestamp": [
                  "2015-08-31T15:00:03.871Z"
               ]
            },
            "sort": [
               1441033203871
            ]
         }, (more hits...)

正如您在上面看到的,我查询的日期记录没有出现在结果列表中。命中计数减 1,第一个结果是较早的时间,而不是与我查询的时间相等的确切时间。

正在使用的索引模板:

PUT _template/my_template
{
  "template" : "logstash-*",
  "mappings" : {
      "logs" : {
        "_source" : {"enabled" : "true"},
        "properties" : {
          "@timestamp" : { "type" : "date", "format" : "date_time" },
          # more fields here
        }
      }
  }
}

我正在使用弹性搜索 1.7.1。

谢谢!

4

1 回答 1

0

您已在搜索请求中设置了"from"to的值。1这意味着忽略第一个结果并显示其余结果。因此,您会发现缺少第一个结果。如果您完全设置"from"0删除它,您将获得所需的结果。

于 2015-08-31T15:52:32.390 回答