四、常见的操作指南
下面是一些日常使用疑问
1、如何kibana调用es接口命令
登录kibana系统后,在菜单栏中Management->Dev Tools, 进入后我们在左侧框中输入(先清空),输入下面的内容
GET /右侧栏中会出现一段json,可以看到我们的es版本等信息.
{"name": "dae8747df6f0","cluster_name": "docker-cluster","cluster_uuid": "toprRlPKRv22cMX8gh96LQ","version": {"number": "8.4.3","build_flavor": "default","build_type": "docker","build_hash": "42f05b9372a9a4a470db3b52817899b99a76ee73","build_date": "2022-10-04T07:17:24.662462378Z","build_snapshot": false,"lucene_version": "9.3.0","minimum_wire_compatibility_version": "7.17.0","minimum_index_compatibility_version": "7.0.0"},"tagline": "You Know, for Search"}
2、添加单个文档
提交以下索引请求以将单个日志条目添加到 logs-myapp 数据流。
由于 logs-myapp不存在,请求会使用内置的 logs-*-* 索引模板自动创建它。
这里模拟的是一个请求的文件日志记录
POST logs-myapp/_doc{"@timestamp": "2099-05-06T16:21:15.000Z","event": {"original": "192.0.2.42 - - [06/May/2099:16:21:15 +0000] \"GET /images/bg.jpg HTTP/1.0\" 200 24736"}}
返回数据
响应包括 Elasticsearch 为文档生成的元数据:
-
包含文档的支持 _index。Elasticsearch 会自动生成支持索引的名称。
-
索引中文档的唯一 _id。
{"_index": "logs-myapp","_id": "snwQN4QBFZ31xH8Hlg-J","_version": 1,"result": "created","_shards": {"total": 2,"successful": 1,"failed": 0},"_seq_no": 0,"_primary_term": 1}
3、添加多个文档
使用 _bulk 端点在一个请求中添加多个文档。批量数据必须是换行符分隔的 JSON (NDJSON)。每行必须以换行符 (\n) 结尾,包括最后一行。
PUT logs-myapp/_bulk{ "create": { } }{ "@timestamp": "2099-05-07T16:24:32.000Z", "event": { "original": "192.0.2.242 - - [07/May/2020:16:24:32 -0500] \"GET /images/hm_nbg.jpg HTTP/1.0\" 304 0" } }{ "create": { } }{ "@timestamp": "2099-05-08T16:25:42.000Z", "event": { "original": "192.0.2.255 - - [08/May/2099:16:25:42 +0000] \"GET /favicon.ico HTTP/1.0\" 200 3638" } }
响应数据
{"took": 28,"errors": false,"items": [{"create": {"_index": "logs-myapp","_id": "s3wVN4QBFZ31xH8HcQ8j","_version": 1,"result": "created","_shards": {"total": 2,"successful": 1,"failed": 0},"_seq_no": 1,"_primary_term": 1,"status": 201}},{"create": {"_index": "logs-myapp","_id": "tHwVN4QBFZ31xH8HcQ8j","_version": 1,"result": "created","_shards": {"total": 2,"successful": 1,"failed": 0},"_seq_no": 2,"_primary_term": 1,"status": 201}}]}
4、查看当前索引
GET _cat/indices5、搜索文档内容
查询条件为所有条目,
按字段@timestamp降序排列
GET logs-myapp/_search{"query": {"match_all": {}},"sort": [{"@timestamp": {"order": "desc"}}]}
返回结果
{"took": 0,"timed_out": false,"_shards": {"total": 1,"successful": 1,"skipped": 0,"failed": 0},"hits": {"total": {"value": 3,"relation": "eq"},"max_score": null,"hits": [{"_index": "logs-myapp","_id": "tHwVN4QBFZ31xH8HcQ8j","_score": null,"_source": {"@timestamp": "2099-05-08T16:25:42.000Z","event": {"original": """192.0.2.255 - - [08/May/2099:16:25:42 +0000] "GET /favicon.ico HTTP/1.0" 200 3638"""}},"sort": [4081940742000]},{"_index": "logs-myapp","_id": "s3wVN4QBFZ31xH8HcQ8j","_score": null,"_source": {"@timestamp": "2099-05-07T16:24:32.000Z","event": {"original": """192.0.2.242 - - [07/May/2020:16:24:32 -0500] "GET /images/hm_nbg.jpg HTTP/1.0" 304 0"""}},"sort": [4081854272000]},{"_index": "logs-myapp","_id": "snwQN4QBFZ31xH8Hlg-J","_score": null,"_source": {"@timestamp": "2099-05-06T16:21:15.000Z","event": {"original": """192.0.2.42 - - [06/May/2099:16:21:15 +0000] "GET /images/bg.jpg HTTP/1.0" 200 24736"""}},"sort": [4081767675000]}]}}
6、搜索文档内容-特定字段
对于大文档,解析整个_source很麻烦,
我们需要将_source参数置为false。
然后从fields参数中来检索想要的字段
GET logs-myapp/_search{"query": {"match_all": {}},"fields": ["@timestamp"],"_source": false,"sort": [{"@timestamp": {"order": "desc"}}]}
响应数据
{"took": 0,"timed_out": false,"_shards": {"total": 1,"successful": 1,"skipped": 0,"failed": 0},"hits": {"total": {"value": 3,"relation": "eq"},"max_score": null,"hits": [{"_index": "logs-myapp","_id": "tHwVN4QBFZ31xH8HcQ8j","_score": null,"fields": {"@timestamp": ["2099-05-08T16:25:42.000Z"]},"sort": [4081940742000]},{"_index": "logs-myapp","_id": "s3wVN4QBFZ31xH8HcQ8j","_score": null,"fields": {"@timestamp": ["2099-05-07T16:24:32.000Z"]},"sort": [4081854272000]},{"_index": "logs-myapp","_id": "snwQN4QBFZ31xH8Hlg-J","_score": null,"fields": {"@timestamp": ["2099-05-06T16:21:15.000Z"]},"sort": [4081767675000]}]}}
7、搜索文档内容-查询范围
在特定的时间或者IP范围内进行搜索
GET logs-myapp/_search{"query": {"range": {"@timestamp": {"gte": "2099-05-07","lte": "2099-05-08"}}},"fields": ["@timestamp"],"_source": false,"sort": [{"@timestamp": {"order": "desc"}}]}
响应数据
{"took": 0,"timed_out": false,"_shards": {"total": 1,"successful": 1,"skipped": 0,"failed": 0},"hits": {"total": {"value": 2,"relation": "eq"},"max_score": null,"hits": [{"_index": "logs-myapp","_id": "tHwVN4QBFZ31xH8HcQ8j","_score": null,"fields": {"@timestamp": ["2099-05-08T16:25:42.000Z"]},"sort": [4081940742000]},{"_index": "logs-myapp","_id": "s3wVN4QBFZ31xH8HcQ8j","_score": null,"fields": {"@timestamp": ["2099-05-07T16:24:32.000Z"]},"sort": [4081854272000]}]}}
8、搜索文档内容-查询范围
对过去一天进行查询 ,表达式
GET logs-myapp/_search{"query": {"range": {"@timestamp": {"gte": "now-1d/d","lte": "now/d"}}},"fields": ["@timestamp"],"_source": false,"sort": [{"@timestamp": {"order": "desc"}}]}
响应数据
{"took": 0,"timed_out": false,"_shards": {"total": 1,"successful": 1,"skipped": 0,"failed": 0},"hits": {"total": {"value": 0,"relation": "eq"},"max_score": null,"hits": []}}
9、搜索文档内容-提取内容
POST logs-test/_doc/1{"raw_message":"199.72.81.55 - - [01/Jul/1995:00:00:01 -0400] GET /history/apollo/ HTTP/1.0 200 6245","address":"1.2.3.4"}
结果
{"_index": "logs-test","_id": "1","_version": 1,"result": "created","_shards": {"total": 2,"successful": 1,"failed": 0},"_seq_no": 0,"_primary_term": 1}
