多個像彈性搜索

Question

我在彈性搜索文檔場path查詢具有這樣

/logs/hadoop-yarn/container/application_1451299305289_0120/container_e18_1451299305289_0120_01_011007/stderr 
/logs/hadoop-yarn/container/application_1451299305289_0120/container_e18_1451299305289_0120_01_008874/stderr 

#*Note -- I want to select all the documents having below line in the **path** field 
/logs/hadoop-yarn/container/application_1451299305289_0120/container_e18_1451299305289_0120_01_009257/stderr 

我要打給某些事情（基本上是和這個path領域的類似查詢條目

1. 我已經給申請號1451299305289_0120
2. 我也給任務數009257
- ：在所有3）條件
3. 路徑字段也應該包含stderr

鑑於上述標準具有路徑字段作爲第三行的文件應該被選擇

這是我的嘗試到目前爲止

http://localhost:9200/logstash-*/_search?q=application_1451299305289_0120 AND path:stderr&size=50 

該查詢符合第三條件，部分爲第一條件，即如果我搜索1451299305289_0120而不是application_1451299305289_0120，則得到0個結果。 （我真正需要的是像1451299305289_0120搜索）

當我嘗試這樣做

http://10.30.145.160:9200/logstash-*/_search?q=path:*_1451299305289_0120*008779 AND path:stderr&size=50 

我得到的結果，但在開始使用*是一個代價高昂的操作。是他們另一種有效實現此目標的方法（如使用nGram和使用的elastic-search）

Answer 1

這可以通過使用Pattern Replace Char Filter來實現。您只需提取regex的重要信息位。這是我的設置

POST log_index 
{ 
    "settings": { 
    "analysis": { 
     "analyzer": { 
     "app_analyzer": { 
      "char_filter": [ 
      "app_extractor" 
      ], 
      "tokenizer": "keyword", 
      "filter": [ 
      "lowercase", 
      "asciifolding" 
      ] 
     }, 
     "path_analyzer": { 
      "char_filter": [ 
      "path_extractor" 
      ], 
      "tokenizer": "keyword", 
      "filter": [ 
      "lowercase", 
      "asciifolding" 
      ] 
     }, 
     "task_analyzer": { 
      "char_filter": [ 
      "task_extractor" 
      ], 
      "tokenizer": "keyword", 
      "filter": [ 
      "lowercase", 
      "asciifolding" 
      ] 
     } 
     }, 
     "char_filter": { 
     "app_extractor": { 
      "type": "pattern_replace", 
      "pattern": ".*application_(.*)/container.*", 
      "replacement": "$1" 
     }, 
     "path_extractor": { 
      "type": "pattern_replace", 
      "pattern": ".*/(.*)", 
      "replacement": "$1" 
     }, 
     "task_extractor": { 
      "type": "pattern_replace", 
      "pattern": ".*container.{27}(.*)/.*", 
      "replacement": "$1" 
     } 
     } 
    } 
    }, 
    "mappings": { 
    "your_type": { 
     "properties": { 
     "name": { 
      "type": "string", 
      "analyzer": "keyword", 
      "fields": { 
      "application_number": { 
       "type": "string", 
       "analyzer": "app_analyzer" 
      }, 
      "path": { 
       "type": "string", 
       "analyzer": "path_analyzer" 
      }, 
      "task": { 
       "type": "string", 
       "analyzer": "task_analyzer" 
      } 
      } 
     } 
     } 
    } 
    } 
} 

我提取application number，task number和path用正則表達式。如果您有其他日誌格式，您可能需要稍微優化task regex，那麼我們可以使用Filters進行搜索。使用過濾器的一大優勢是它們是緩存並使後續調用更快。

我索引採樣日誌這樣

PUT log_index/your_type/1 
{ 
    "name" : "/logs/hadoop-yarn/container/application_1451299305289_0120/container_e18_1451299305289_0120_01_009257/stderr" 
} 

該查詢會給你想要的效果

GET log_index/_search 
{ 
    "query": { 
    "filtered": { 
     "filter": { 
     "bool": { 
      "must": [ 
      { 
       "term": { 
       "name.application_number": "1451299305289_0120" 
       } 
      }, 
      { 
       "term": { 
       "name.task": "009257" 
       } 
      }, 
      { 
       "term": { 
       "name.path": "stderr" 
       } 
      } 
      ] 
     } 
     } 
    } 
    } 
} 

在一個側面說明filtered query在ES 2.x棄用，只是使用過濾器directly.Also path hierarchy可能有用的一些其他用途

希望這會有所幫助:)