0

在 Elasticsearch 中,我想将两个日志(natlogGateway log)与 DSL 查询进行比较。

在 nat 日志中有srcip1并且在网关日志中有srcip2

srcip1 === srcip2如果满足此条件,我想"agent.id"在结果中显示。

最重要的是,我将提出我已经做出的相关查询

{
  "query": {
    "bool": {
      "should": [
        {
          "match": {
            "location": "\\Users\\Saad\\Desktop\\nat.log"
          }
        },
        {
          "match": {
            "location": "\\Users\\Saad\\Desktop\\attendance-logs-with-ports.log"
          }
        }
      ],
      "must": [
        {
          "term": {
            "data.srcip": "1.1.1.1"
          }
        }
      ]
    }
  },
  "fields": [
    "data.srcip1"
  ],
  "_source": false
  
}

我尝试了多种方法,但没有成功。

4

1 回答 1

0

要显示数据摘要,请使用聚合。如果您想根据某个 ip 的日志类型比较不同的代理,查询将是这个:

摄取数据

POST test_saad/_doc
{
  "location": "\\Users\\Saad\\Desktop\\nat.log",
  "data": {
    "srcip1": "1.1.1.1"
  },
  "agent": {
    "id": "agent_1"
  }
}

POST test_saad/_doc
{
  "location": "\\Users\\Saad\\Desktop\\attendance-logs-with-ports.log",
  "data": {
    "srcip2": "1.1.1.1"
  },
  "agent": {
    "id": "agent_1"
  }
}

POST test_saad/_doc
{
  "location": "\\Users\\Saad\\Desktop\\nat.log",
  "data": {
    "srcip1": "1.1.1.1"
  },
  "agent": {
    "id": "agent_2"
  }
}

要求

POST test_saad/_search
{
  "size": 0,
  "query": {
    "bool": {
      "must": [
        {
          "bool": {
            "should": [
              {
                "term": {
                  "data.srcip1.keyword": "1.1.1.2"
                }
              },
              {
                "term": {
                  "data.srcip2.keyword": "1.1.1.2"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "bool": {
            "should": [
              {
                "term": {
                  "location.keyword": """\Users\Saad\Desktop\nat.log"""
                }
              },
              {
                "term": {
                  "location.keyword": """\Users\Saad\Desktop\attendance-logs-with-ports.log"""
                }
              }
            ],
            "minimum_should_match": 1
          }
        }
      ]
    }
  },
  "aggs": {
    "log_types": {
      "terms": {
        "field": "location.keyword",
        "size": 10
      },
      "aggs": {
        "agent_types": {
          "terms": {
            "field": "agent.id.keyword",
            "size": 10
          }
        }
      }
    }
  }
}

回复

{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 3,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  },
  "aggregations" : {
    "log_types" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : """\Users\Saad\Desktop\nat.log""",
          "doc_count" : 2,
          "agent_types" : {
            "doc_count_error_upper_bound" : 0,
            "sum_other_doc_count" : 0,
            "buckets" : [
              {
                "key" : "agent_1",
                "doc_count" : 1
              },
              {
                "key" : "agent_2",
                "doc_count" : 1
              }
            ]
          }
        },
        {
          "key" : """\Users\Saad\Desktop\attendance-logs-with-ports.log""",
          "doc_count" : 1,
          "agent_types" : {
            "doc_count_error_upper_bound" : 0,
            "sum_other_doc_count" : 0,
            "buckets" : [
              {
                "key" : "agent_1",
                "doc_count" : 1
              }
            ]
          }
        }
      ]
    }
  }
}
于 2021-02-28T01:06:06.510 回答