如何传递值以进行外部查询

tag-icon tag-icon curl elasticsearch elk
如何传递值以进行外部查询

我有以下类似的日志。

我已经创建了虚拟对象index并创建了mapping如下所示的内容dev-tools

PUT new
{
  "mappings": {
    "properties": {
      "@timestamp": {
        "type":   "date",
        "format": "yyyy-MM-dd HH:mm:ss.SSS"
      }
    }
  }
}

以及indexed以下数据,

PUT /new/_doc/1
{
  "@timestamp": "2021-11-05 08:12:14.534",
  "level": "INFO",
  "id": "1",
  "text": "website is accessed",
  "status": "clicked"
}

PUT /new/_doc/2
{
  "@timestamp": "2021-10-14 09:11:14.534",
  "level": "INFO",
  "id": "3",
  "text": "website is accessed",
  "status": "clicked"
}

PUT /new/_doc/3
{
  "@timestamp": "2021-09-09 02:08:20.534",
  "level": "INFO",
  "id": "4",
  "text": "website is accessed",
  "status": "clicked"
}

我可以使用以下request查询获取总计数,

GET new/_search
{
  "aggs": {},
  "size": 0,
  "fields": [],
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "match_phrase": {
                  "text": "website is accessed"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2021-10-01",
              "lte": "2021-10-30"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

得到response如下结果,

{
  "took" : 0,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  }
}

如您所见,我需要hardcode获取date特定月份的值month,即获取sept月份的相同信息,我需要date time range在 curl 请求中修改以下内容,

"range": {
  "@timestamp": {
    "gte": "2021-09-01",
    "lte": "2021-09-30"
    }
    }

下面是curl call request

curl -u elastic:xxx  -XGET "http://10.10.10.10:9200/new/_search?pretty" -H 'Content-Type: application/json' -d'
{
  "aggs": {},
  "size": 0,
  "fields": [],
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "match_phrase": {
                  "text": "website is accessed"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2021-10-01",
              "lte": "2021-10-30"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}'

我如何才能动态地传递year和(即实际上不对其month进行硬编码请求本身)到 curl 请求以获取该特定 的信息monthyear

更新 -

我可以使用下面的方法获取上个月(11 月)或过去 2 个月(10 月)等的结果,

上个月 - Nov-

"gte": "now-M",
"lt": "now/M"

2个月 -Oct

"gte": "now-2M/M",
"lte": "now-2M/M"

但是有没有办法提供所需的yearmonth检索结果?

谢谢,

答案1

您可以使用日期数学有明确日期:

"range": {
  "@timestamp": {
    "gte": "2021-10-01",
    "lte": "2021-10-01||+1M/d"
  }
}

相关内容