四、常见的操作指南
下面是一些日常使用疑问
1、如何kibana调用es接口命令
登录kibana系统后,在菜单栏中Management->Dev Tools, 进入后我们在左侧框中输入(先清空),输入下面的内容
代码语言:javascript复制GET /右侧栏中会出现一段json,可以看到我们的es版本等信息
代码语言:javascript复制{
"name": "dae8747df6f0",
"cluster_name": "docker-cluster",
"cluster_uuid": "toprRlPKRv22cMX8gh96LQ",
"version": {
"number": "8.4.3",
"build_flavor": "default",
"build_type": "docker",
"build_hash": "42f05b9372a9a4a470db3b52817899b99a76ee73",
"build_date": "2022-10-04T07:17:24.662462378Z",
"build_snapshot": false,
"lucene_version": "9.3.0",
"minimum_wire_compatibility_version": "7.17.0",
"minimum_index_compatibility_version": "7.0.0"
},
"tagline": "You Know, for Search"
}2、添加单个文档
提交以下索引请求以将单个日志条目添加到 logs-myapp 数据流。
由于 logs-myapp不存在,请求会使用内置的 logs-*-* 索引模板自动创建它。
这里模拟的是一个请求的文件日志记录
代码语言:javascript复制POST logs-myapp/_doc
{
"@timestamp": "2099-05-06T16:21:15.000Z",
"event": {
"original": "192.0.2.42 - - [06/May/2099:16:21:15 0000] "GET /images/bg.jpg HTTP/1.0" 200 24736"
}
}返回数据
响应包括 Elasticsearch 为文档生成的元数据:
- 包含文档的支持 _index。Elasticsearch 会自动生成支持索引的名称。
- 索引中文档的唯一 _id。
{
"_index": "logs-myapp",
"_id": "snwQN4QBFZ31xH8Hlg-J",
"_version": 1,
"result": "created",
"_shards": {
"total": 2,
"successful": 1,
"failed": 0
},
"_seq_no": 0,
"_primary_term": 1
}3、添加多个文档
使用 _bulk 端点在一个请求中添加多个文档。批量数据必须是换行符分隔的 JSON (NDJSON)。每行必须以换行符 (n) 结尾,包括最后一行。
代码语言:javascript复制PUT logs-myapp/_bulk
{ "create": { } }
{ "@timestamp": "2099-05-07T16:24:32.000Z", "event": { "original": "192.0.2.242 - - [07/May/2020:16:24:32 -0500] "GET /images/hm_nbg.jpg HTTP/1.0" 304 0" } }
{ "create": { } }
{ "@timestamp": "2099-05-08T16:25:42.000Z", "event": { "original": "192.0.2.255 - - [08/May/2099:16:25:42 0000] "GET /favicon.ico HTTP/1.0" 200 3638" } }响应数据
代码语言:javascript复制{
"took": 28,
"errors": false,
"items": [
{
"create": {
"_index": "logs-myapp",
"_id": "s3wVN4QBFZ31xH8HcQ8j",
"_version": 1,
"result": "created",
"_shards": {
"total": 2,
"successful": 1,
"failed": 0
},
"_seq_no": 1,
"_primary_term": 1,
"status": 201
}
},
{
"create": {
"_index": "logs-myapp",
"_id": "tHwVN4QBFZ31xH8HcQ8j",
"_version": 1,
"result": "created",
"_shards": {
"total": 2,
"successful": 1,
"failed": 0
},
"_seq_no": 2,
"_primary_term": 1,
"status": 201
}
}
]
}4、查看当前索引
代码语言:javascript复制GET _cat/indices5、搜索文档内容
查询条件为所有条目,
按字段@timestamp降序排列
代码语言:javascript复制GET logs-myapp/_search
{
"query": {
"match_all": {}
},
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}返回结果
代码语言:javascript复制{
"took": 0,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 3,
"relation": "eq"
},
"max_score": null,
"hits": [
{
"_index": "logs-myapp",
"_id": "tHwVN4QBFZ31xH8HcQ8j",
"_score": null,
"_source": {
"@timestamp": "2099-05-08T16:25:42.000Z",
"event": {
"original": """192.0.2.255 - - [08/May/2099:16:25:42 0000] "GET /favicon.ico HTTP/1.0" 200 3638"""
}
},
"sort": [
4081940742000
]
},
{
"_index": "logs-myapp",
"_id": "s3wVN4QBFZ31xH8HcQ8j",
"_score": null,
"_source": {
"@timestamp": "2099-05-07T16:24:32.000Z",
"event": {
"original": """192.0.2.242 - - [07/May/2020:16:24:32 -0500] "GET /images/hm_nbg.jpg HTTP/1.0" 304 0"""
}
},
"sort": [
4081854272000
]
},
{
"_index": "logs-myapp",
"_id": "snwQN4QBFZ31xH8Hlg-J",
"_score": null,
"_source": {
"@timestamp": "2099-05-06T16:21:15.000Z",
"event": {
"original": """192.0.2.42 - - [06/May/2099:16:21:15 0000] "GET /images/bg.jpg HTTP/1.0" 200 24736"""
}
},
"sort": [
4081767675000
]
}
]
}
}6、搜索文档内容-特定字段
对于大文档,解析整个_source很麻烦,
我们需要将_source参数置为false。
然后从fields参数中来检索想要的字段
代码语言:javascript复制GET logs-myapp/_search
{
"query": {
"match_all": {}
},
"fields": [
"@timestamp"
],
"_source": false,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}响应数据
代码语言:javascript复制{
"took": 0,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 3,
"relation": "eq"
},
"max_score": null,
"hits": [
{
"_index": "logs-myapp",
"_id": "tHwVN4QBFZ31xH8HcQ8j",
"_score": null,
"fields": {
"@timestamp": [
"2099-05-08T16:25:42.000Z"
]
},
"sort": [
4081940742000
]
},
{
"_index": "logs-myapp",
"_id": "s3wVN4QBFZ31xH8HcQ8j",
"_score": null,
"fields": {
"@timestamp": [
"2099-05-07T16:24:32.000Z"
]
},
"sort": [
4081854272000
]
},
{
"_index": "logs-myapp",
"_id": "snwQN4QBFZ31xH8Hlg-J",
"_score": null,
"fields": {
"@timestamp": [
"2099-05-06T16:21:15.000Z"
]
},
"sort": [
4081767675000
]
}
]
}
}7、搜索文档内容-查询范围
在特定的时间或者IP范围内进行搜索
代码语言:javascript复制GET logs-myapp/_search
{
"query": {
"range": {
"@timestamp": {
"gte": "2099-05-07",
"lte": "2099-05-08"
}
}
},
"fields": [
"@timestamp"
],
"_source": false,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}响应数据
代码语言:javascript复制{
"took": 0,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 2,
"relation": "eq"
},
"max_score": null,
"hits": [
{
"_index": "logs-myapp",
"_id": "tHwVN4QBFZ31xH8HcQ8j",
"_score": null,
"fields": {
"@timestamp": [
"2099-05-08T16:25:42.000Z"
]
},
"sort": [
4081940742000
]
},
{
"_index": "logs-myapp",
"_id": "s3wVN4QBFZ31xH8HcQ8j",
"_score": null,
"fields": {
"@timestamp": [
"2099-05-07T16:24:32.000Z"
]
},
"sort": [
4081854272000
]
}
]
}
}8、搜索文档内容-查询范围
对过去一天进行查询 ,表达式
代码语言:javascript复制GET logs-myapp/_search
{
"query": {
"range": {
"@timestamp": {
"gte": "now-1d/d",
"lte": "now/d"
}
}
},
"fields": [
"@timestamp"
],
"_source": false,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}响应数据
代码语言:javascript复制{
"took": 0,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 0,
"relation": "eq"
},
"max_score": null,
"hits": []
}
}9、搜索文档内容-提取内容
代码语言:javascript复制POST logs-test/_doc/1
{
"raw_message":"199.72.81.55 - - [01/Jul/1995:00:00:01 -0400] GET /history/apollo/ HTTP/1.0 200 6245",
"address":"1.2.3.4"
}结果
代码语言:javascript复制{
"_index": "logs-test",
"_id": "1",
"_version": 1,
"result": "created",
"_shards": {
"total": 2,
"successful": 1,
"failed": 0
},
"_seq_no": 0,
"_primary_term": 1
}
