この記事の内容
Elasticsearchでよく使うクエリをまとめてます。
使用するデータ
Elasticsearchのサンプルデータ「Sample flight data」を使用します。
データ例
{
"_index": "kibana_sample_data_logs",
"_type": "_doc",
"_id": "6IISgXUBAUC12oEIeLAm",
"_version": 1,
"_score": null,
"_source": {
"agent": "Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1",
"bytes": 3228,
"clientip": "108.89.189.175",
"extension": "rpm",
"geo": {
"srcdest": "AZ:CN",
"src": "AZ",
"dest": "CN",
"coordinates": {
"lat": 37.32668528,
"lon": -79.20043056
}
},
"host": "artifacts.elastic.co",
"index": "kibana_sample_data_logs",
"ip": "108.89.189.175",
"machine": {
"ram": 7516192768,
"os": "ios"
},
"memory": null,
"message": "108.89.189.175 - - [2018-07-28T21:55:26.831Z] \"GET /beats/metricbeat/metricbeat-6.3.2-i686.rpm HTTP/1.1\" 200 3228 \"-\" \"Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1\"",
"phpmemory": null,
"referer": "http://twitter.com/success/linda-godwin",
"request": "/beats/metricbeat/metricbeat-6.3.2-i686.rpm",
"response": 200,
"tags": [
"success",
"security"
],
"timestamp": "2020-10-31T21:55:26.831Z",
"url": "https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-6.3.2-i686.rpm",
"utc_time": "2020-10-31T21:55:26.831Z",
"event": {
"dataset": "sample_web_logs"
}
},
"fields": {
"@timestamp": [
"2020-10-31T21:55:26.831Z"
],
"utc_time": [
"2020-10-31T21:55:26.831Z"
],
"hour_of_day": [
21
],
"timestamp": [
"2020-10-31T21:55:26.831Z"
]
},
"sort": [
1604181326831
]
}
検索
簡単な検索
リクエスト
curl -XGET "http://localhost:9200/kibana_sample_data_logs/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"match": {
"geo.src": "AZ"
}
}
}'
レスポンス
{
"took" : 9,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 10,
"relation" : "eq"
},
"max_score" : 7.20078,
"hits" : [
{
"_index" : "kibana_sample_data_logs",
"_type" : "_doc",
"_id" : "6IISgXUBAUC12oEIeLAm",
"_score" : 7.20078,
"_source" : {
"agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1",
"bytes" : 3228,
"clientip" : "108.89.189.175",
"extension" : "rpm",
"geo" : {
"srcdest" : "AZ:CN",
"src" : "AZ",
"dest" : "CN",
"coordinates" : {
"lat" : 37.32668528,
"lon" : -79.20043056
}
},
"host" : "artifacts.elastic.co",
"index" : "kibana_sample_data_logs",
"ip" : "108.89.189.175",
"machine" : {
"ram" : 7516192768,
"os" : "ios"
},
"memory" : null,
"message" : "108.89.189.175 - - [2018-07-28T21:55:26.831Z] \"GET /beats/metricbeat/metricbeat-6.3.2-i686.rpm HTTP/1.1\" 200 3228 \"-\" \"Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1\"",
"phpmemory" : null,
"referer" : "http://twitter.com/success/linda-godwin",
"request" : "/beats/metricbeat/metricbeat-6.3.2-i686.rpm",
"response" : 200,
"tags" : [
"success",
"security"
],
"timestamp" : "2020-10-31T21:55:26.831Z",
"url" : "https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-6.3.2-i686.rpm",
"utc_time" : "2020-10-31T21:55:26.831Z",
"event" : {
"dataset" : "sample_web_logs"
}
}
},
{
"_index" : "kibana_sample_data_logs",
"_type" : "_doc",
"_id" : "TIISgXUBAUC12oEIj-Ct",
"_score" : 7.20078,
"_source" : {
"agent" : "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)",
"bytes" : 6542,
"clientip" : "220.243.152.168",
"extension" : "",
"geo" : {
"srcdest" : "AZ:PK",
"src" : "AZ",
"dest" : "PK",
"coordinates" : {
"lat" : 38.75495611,
"lon" : -109.7548439
}
},
"host" : "elastic-elastic-elastic.org",
"index" : "kibana_sample_data_logs",
"ip" : "220.243.152.168",
"machine" : {
"ram" : 5368709120,
"os" : "ios"
},
"memory" : 261680,
"message" : "220.243.152.168 - - [2018-09-19T12:35:27.337Z] \"GET /people/type:astronauts/name:liu-boming/profile HTTP/1.1\" 200 6542 \"-\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\"",
"phpmemory" : 261680,
"referer" : "http://www.elastic-elastic-elastic.com/success/douglas-g-hurley",
"request" : "/people/type:astronauts/name:liu-boming/profile",
"response" : 200,
"tags" : [
"success",
"login"
],
"timestamp" : "2020-12-23T12:35:27.337Z",
"url" : "https://elastic-elastic-elastic.org/people/type:astronauts/name:liu-boming/profile",
"utc_time" : "2020-12-23T12:35:27.337Z",
"event" : {
"dataset" : "sample_web_logs"
}
}
}
]
}
}
全件検索
match_allを使用して、ドキュメントの件数や、一部格納されているドキュメントを確認することができます。
リクエスト
curl -XGET "http://localhost:9200/kibana_sample_data_logs/_search" -H 'Content-Type: application/json' -d'{
"query": {
"match_all": {}
}
}'
レスポンス
{
"took" : 2,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 10000,
"relation" : "gte"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "kibana_sample_data_logs",
"_type" : "_doc",
"_id" : "_YISgXUBAUC12oEIcapM",
"_score" : 1.0,
"_source" : {
"agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1",
"bytes" : 6219,
"clientip" : "223.87.60.27",
"extension" : "deb",
"geo" : {
"srcdest" : "IN:US",
"src" : "IN",
"dest" : "US",
"coordinates" : {
"lat" : 39.41042861,
"lon" : -88.8454325
}
},
"host" : "artifacts.elastic.co",
"index" : "kibana_sample_data_logs",
"ip" : "223.87.60.27",
"machine" : {
"ram" : 8589934592,
"os" : "win 8"
},
"memory" : null,
"message" : "223.87.60.27 - - [2018-07-22T00:39:02.912Z] \"GET /elasticsearch/elasticsearch-6.3.2.deb_1 HTTP/1.1\" 200 6219 \"-\" \"Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1\"",
"phpmemory" : null,
"referer" : "http://twitter.com/success/wendy-lawrence",
"request" : "/elasticsearch/elasticsearch-6.3.2.deb",
"response" : 200,
"tags" : [
"success",
"info"
],
"timestamp" : "2020-10-25T00:39:02.912Z",
"url" : "https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.3.2.deb_1",
"utc_time" : "2020-10-25T00:39:02.912Z",
"event" : {
"dataset" : "sample_web_logs"
}
}
},
{
"_index" : "kibana_sample_data_logs",
"_type" : "_doc",
"_id" : "BoISgXUBAUC12oEIcatM",
"_score" : 1.0,
"_source" : {
"agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1",
"bytes" : 9797,
"clientip" : "12.132.31.17",
"extension" : "gz",
"geo" : {
"srcdest" : "BD:EC",
"src" : "BD",
"dest" : "EC",
"coordinates" : {
"lat" : 32.14308333,
"lon" : -111.1728611
}
},
"host" : "artifacts.elastic.co",
"index" : "kibana_sample_data_logs",
"ip" : "12.132.31.17",
"machine" : {
"ram" : 4294967296,
"os" : "osx"
},
"memory" : null,
"message" : "12.132.31.17 - - [2018-07-22T05:36:25.812Z] \"GET /elasticsearch/elasticsearch-6.3.2.tar.gz_1 HTTP/1.1\" 200 9797 \"-\" \"Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1\"",
"phpmemory" : null,
"referer" : "http://www.elastic-elastic-elastic.com/success/musa-manarov",
"request" : "/elasticsearch/elasticsearch-6.3.2.tar.gz",
"response" : 200,
"tags" : [
"success",
"security"
],
"timestamp" : "2020-10-25T05:36:25.812Z",
"url" : "https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.3.2.tar.gz_1",
"utc_time" : "2020-10-25T05:36:25.812Z",
"event" : {
"dataset" : "sample_web_logs"
}
}
}
]
}
}
検索数を指定
sizeで指定
リクエスト
curl -XGET "http://localhost:9200/kibana_sample_data_logs/_search" -H 'Content-Type: application/json' -d'{
"query": {
"size" : 2,
"match_all": {}
}
}'
レスポンス
{
"took" : 1,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 10000,
"relation" : "gte"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "kibana_sample_data_logs",
"_type" : "_doc",
"_id" : "_YISgXUBAUC12oEIcapM",
"_score" : 1.0,
"_source" : {
"agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1",
"bytes" : 6219,
"clientip" : "223.87.60.27",
"extension" : "deb",
"geo" : {
"srcdest" : "IN:US",
"src" : "IN",
"dest" : "US",
"coordinates" : {
"lat" : 39.41042861,
"lon" : -88.8454325
}
},
"host" : "artifacts.elastic.co",
"index" : "kibana_sample_data_logs",
"ip" : "223.87.60.27",
"machine" : {
"ram" : 8589934592,
"os" : "win 8"
},
"memory" : null,
"message" : "223.87.60.27 - - [2018-07-22T00:39:02.912Z] \"GET /elasticsearch/elasticsearch-6.3.2.deb_1 HTTP/1.1\" 200 6219 \"-\" \"Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1\"",
"phpmemory" : null,
"referer" : "http://twitter.com/success/wendy-lawrence",
"request" : "/elasticsearch/elasticsearch-6.3.2.deb",
"response" : 200,
"tags" : [
"success",
"info"
],
"timestamp" : "2020-10-25T00:39:02.912Z",
"url" : "https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.3.2.deb_1",
"utc_time" : "2020-10-25T00:39:02.912Z",
"event" : {
"dataset" : "sample_web_logs"
}
}
},
{
"_index" : "kibana_sample_data_logs",
"_type" : "_doc",
"_id" : "_oISgXUBAUC12oEIcapM",
"_score" : 1.0,
"_source" : {
"agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1",
"bytes" : 6850,
"clientip" : "130.246.123.197",
"extension" : "",
"geo" : {
"srcdest" : "JP:IN",
"src" : "JP",
"dest" : "IN",
"coordinates" : {
"lat" : 38.58338806,
"lon" : -86.46248778
}
},
"host" : "www.elastic.co",
"index" : "kibana_sample_data_logs",
"ip" : "130.246.123.197",
"machine" : {
"ram" : 3221225472,
"os" : "win 8"
},
"memory" : null,
"message" : "130.246.123.197 - - [2018-07-22T03:26:21.326Z] \"GET /beats/metricbeat_1 HTTP/1.1\" 200 6850 \"-\" \"Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1\"",
"phpmemory" : null,
"referer" : "http://www.elastic-elastic-elastic.com/success/james-mcdivitt",
"request" : "/beats/metricbeat",
"response" : 200,
"tags" : [
"success",
"info"
],
"timestamp" : "2020-10-25T03:26:21.326Z",
"url" : "https://www.elastic.co/downloads/beats/metricbeat_1",
"utc_time" : "2020-10-25T03:26:21.326Z",
"event" : {
"dataset" : "sample_web_logs"
}
}
}
]
}
}
完全一致で検索
Termベースクエリを使うことで、検索キーワードに完全一致したフィールドを検索することができます。
keyword型のフィールドを検索するときに使用します。
リクエスト
curl -XGET "http://localhost:9200/kibana_sample_data_logs/_search" -H 'Content-Type: application/json' -d'{
"query": {
"term": {
"machine.os.keyword": "ios"
}
}
}'
レスポンス
{
"took" : 4,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 2737,
"relation" : "eq"
},
"max_score" : 1.637355,
"hits" : [
{
"_index" : "kibana_sample_data_logs",
"_type" : "_doc",
"_id" : "_4ISgXUBAUC12oEIcapM",
"_score" : 1.637355,
"_source" : {
"agent" : "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.50 Safari/534.24",
"bytes" : 0,
"clientip" : "120.49.143.213",
"extension" : "css",
"geo" : {
"srcdest" : "CO:DE",
"src" : "CO",
"dest" : "DE",
"coordinates" : {
"lat" : 36.96015,
"lon" : -78.18499861
}
},
"host" : "cdn.elastic-elastic-elastic.org",
"index" : "kibana_sample_data_logs",
"ip" : "120.49.143.213",
"machine" : {
"ram" : 20401094656,
"os" : "ios"
},
"memory" : null,
"message" : "120.49.143.213 - - [2018-07-22T03:30:25.131Z] \"GET /styles/main.css_1 HTTP/1.1\" 503 0 \"-\" \"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.50 Safari/534.24\"",
"phpmemory" : null,
"referer" : "http://twitter.com/success/konstantin-feoktistov",
"request" : "/styles/main.css",
"response" : 503,
"tags" : [
"success",
"login"
],
"timestamp" : "2020-10-25T03:30:25.131Z",
"url" : "https://cdn.elastic-elastic-elastic.org/styles/main.css_1",
"utc_time" : "2020-10-25T03:30:25.131Z",
"event" : {
"dataset" : "sample_web_logs"
}
}
},
{
"_index" : "kibana_sample_data_logs",
"_type" : "_doc",
"_id" : "AIISgXUBAUC12oEIcatM",
"_score" : 1.637355,
"_source" : {
"agent" : "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)",
"bytes" : 14113,
"clientip" : "99.74.118.237",
"extension" : "deb",
"geo" : {
"srcdest" : "LK:IN",
"src" : "LK",
"dest" : "IN",
"coordinates" : {
"lat" : 48.31140472,
"lon" : -114.2550694
}
},
"host" : "artifacts.elastic.co",
"index" : "kibana_sample_data_logs",
"ip" : "99.74.118.237",
"machine" : {
"ram" : 11811160064,
"os" : "ios"
},
"memory" : null,
"message" : "99.74.118.237 - - [2018-07-22T03:34:43.399Z] \"GET /beats/metricbeat/metricbeat-6.3.2-amd64.deb_1 HTTP/1.1\" 200 14113 \"-\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\"",
"phpmemory" : null,
"referer" : "http://www.elastic-elastic-elastic.com/success/charles-camarda",
"request" : "/beats/metricbeat/metricbeat-6.3.2-amd64.deb",
"response" : 200,
"tags" : [
"success",
"info"
],
"timestamp" : "2020-10-25T03:34:43.399Z",
"url" : "https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-6.3.2-amd64.deb_1",
"utc_time" : "2020-10-25T03:34:43.399Z",
"event" : {
"dataset" : "sample_web_logs"
}
}
},
{
"_index" : "kibana_sample_data_logs",
"_type" : "_doc",
"_id" : "IoISgXUBAUC12oEIcatM",
"_score" : 1.637355,
"_source" : {
"agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1",
"bytes" : 17403,
"clientip" : "229.133.251.108",
"extension" : "deb",
"geo" : {
"srcdest" : "CN:IN",
"src" : "CN",
"dest" : "IN",
"coordinates" : {
"lat" : 40.11611111,
"lon" : -96.19445278
}
},
"host" : "artifacts.elastic.co",
"index" : "kibana_sample_data_logs",
"ip" : "229.133.251.108",
"machine" : {
"ram" : 7516192768,
"os" : "ios"
},
"memory" : null,
"message" : "229.133.251.108 - - [2018-07-22T17:25:32.077Z] \"GET /apm-server/apm-server-6.3.2-amd64.deb HTTP/1.1\" 200 17403 \"-\" \"Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1\"",
"phpmemory" : null,
"referer" : "http://twitter.com/success/joseph-p-allen",
"request" : "/apm-server/apm-server-6.3.2-amd64.deb",
"response" : 200,
"tags" : [
"success",
"info"
],
"timestamp" : "2020-10-25T17:25:32.077Z",
"url" : "https://artifacts.elastic.co/downloads/apm-server/apm-server-6.3.2-amd64.deb",
"utc_time" : "2020-10-25T17:25:32.077Z",
"event" : {
"dataset" : "sample_web_logs"
}
}
}
]
}
}
範囲指定
rangeを使用して、範囲を指定。
gteなどの意味は以下の通り。
| 条件 | 意味 |
|---|---|
| gte | >= |
| gt | > |
| lte | <= |
| lt | < |
リクエスト
curl -XGET "http://localhost:9200/kibana_sample_data_logs/_search" -H 'Content-Type: application/json' -d'{
"query": {
"range": {
"bytes": {
"gte": 5998,
"lte": 6000
}
}
}
}'
レスポンス
{
"took" : 1,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 3,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "kibana_sample_data_logs",
"_type" : "_doc",
"_id" : "u4ISgXUBAUC12oEIe7ap",
"_score" : 1.0,
"_source" : {
"agent" : "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.50 Safari/534.24",
"bytes" : 6000,
"clientip" : "122.113.143.36",
"extension" : "",
"geo" : {
"srcdest" : "SY:BR",
"src" : "SY",
"dest" : "BR",
"coordinates" : {
"lat" : 33.71221972,
"lon" : -87.81504639
}
},
"host" : "www.elastic.co",
"index" : "kibana_sample_data_logs",
"ip" : "122.113.143.36",
"machine" : {
"ram" : 20401094656,
"os" : "ios"
},
"memory" : null,
"message" : "122.113.143.36 - - [2018-08-03T13:55:55.357Z] \"GET /beats/metricbeat HTTP/1.1\" 200 6000 \"-\" \"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.50 Safari/534.24\"",
"phpmemory" : null,
"referer" : "http://nytimes.com/success/andreas-mogensen",
"request" : "/beats/metricbeat",
"response" : 200,
"tags" : [
"success",
"security"
],
"timestamp" : "2020-11-06T13:55:55.357Z",
"url" : "https://www.elastic.co/downloads/beats/metricbeat",
"utc_time" : "2020-11-06T13:55:55.357Z",
"event" : {
"dataset" : "sample_web_logs"
}
}
},
{
"_index" : "kibana_sample_data_logs",
"_type" : "_doc",
"_id" : "pIISgXUBAUC12oEIidK5",
"_score" : 1.0,
"_source" : {
"agent" : "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)",
"bytes" : 5998,
"clientip" : "37.71.108.189",
"extension" : "gz",
"geo" : {
"srcdest" : "CD:CD",
"src" : "CD",
"dest" : "CD",
"coordinates" : {
"lat" : 36.6977775,
"lon" : -108.7011986
}
},
"host" : "artifacts.elastic.co",
"index" : "kibana_sample_data_logs",
"ip" : "37.71.108.189",
"machine" : {
"ram" : 20401094656,
"os" : "ios"
},
"memory" : null,
"message" : "37.71.108.189 - - [2018-09-04T00:25:58.466Z] \"GET /beats/filebeat/filebeat-6.3.2-linux-x86.tar.gz HTTP/1.1\" 200 5998 \"-\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\"",
"phpmemory" : null,
"referer" : "http://www.elastic-elastic-elastic.com/success/gennady-padalka",
"request" : "/beats/filebeat/filebeat-6.3.2-linux-x86.tar.gz",
"response" : 200,
"tags" : [
"success",
"info"
],
"timestamp" : "2020-12-08T00:25:58.466Z",
"url" : "https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.3.2-linux-x86.tar.gz",
"utc_time" : "2020-12-08T00:25:58.466Z",
"event" : {
"dataset" : "sample_web_logs"
}
}
},
{
"_index" : "kibana_sample_data_logs",
"_type" : "_doc",
"_id" : "K4ISgXUBAUC12oEIitTC",
"_score" : 1.0,
"_source" : {
"agent" : "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)",
"bytes" : 6000,
"clientip" : "186.81.116.110",
"extension" : "css",
"geo" : {
"srcdest" : "CN:RU",
"src" : "CN",
"dest" : "RU",
"coordinates" : {
"lat" : 46.81278306,
"lon" : -101.8601556
}
},
"host" : "cdn.elastic-elastic-elastic.org",
"index" : "kibana_sample_data_logs",
"ip" : "186.81.116.110",
"machine" : {
"ram" : 3221225472,
"os" : "win 8"
},
"memory" : null,
"message" : "186.81.116.110 - - [2018-09-05T11:16:13.795Z] \"GET /styles/main.css HTTP/1.1\" 200 6000 \"-\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\"",
"phpmemory" : null,
"referer" : "http://www.elastic-elastic-elastic.com/success/michael-fincke",
"request" : "/styles/main.css",
"response" : 200,
"tags" : [
"success",
"info"
],
"timestamp" : "2020-12-09T11:16:13.795Z",
"url" : "https://cdn.elastic-elastic-elastic.org/styles/main.css",
"utc_time" : "2020-12-09T11:16:13.795Z",
"event" : {
"dataset" : "sample_web_logs"
}
}
}
]
}
}
取得するフィールドを絞る
リクエスト
curl -XGET "http://localhost:9200/kibana_sample_data_logs/_search" -H 'Content-Type: application/json' -d'{
"_source": [
"agent",
"bytes"
]
}'
レスポンス
{
"took" : 1,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 10000,
"relation" : "gte"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "kibana_sample_data_logs",
"_type" : "_doc",
"_id" : "_YISgXUBAUC12oEIcapM",
"_score" : 1.0,
"_source" : {
"agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1",
"bytes" : 6219
}
},
{
"_index" : "kibana_sample_data_logs",
"_type" : "_doc",
"_id" : "BoISgXUBAUC12oEIcatM",
"_score" : 1.0,
"_source" : {
"agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1",
"bytes" : 9797
}
}
]
}
}
開始取得位置を指定
リクエスト
curl -XGET "http://localhost:9200/kibana_sample_data_logs/_search" -H 'Content-Type: application/json' -d'
{
"from": 5,
"query": { "match_all": {} }
}'
いずれかに等しい
リクエスト
curl -XGET "http://localhost:9200/kibana_sample_data_logs/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"terms": {
"machine.os.keyword": ["ios","win 7"]
}
}
}'
ソート
リクエスト
curl -XGET "http://localhost:9200/kibana_sample_data_logs/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"match_all": {}
},
"sort": [
{
"bytes": {
"order": "desc"
}
}
]
}'
OR条件
shouldを指定。
curl -XGET "http://localhost:9200/kibana_sample_data_logs/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"should": [
{
"term": {
"geo.src": "AZ"
}
},
{
"range": {
"bytes": {
"gte": 5998,
"lte": 6000
}
}
}
]
}
}
}'
AND条件
mustを指定。
curl -XGET "http://localhost:9200/kibana_sample_data_logs/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"should": [
{
"term": {
"geo.src": "AZ"
}
},
{
"range": {
"bytes": {
"gte": 5998,
"lte": 6000
}
}
}
]
}
}
}'
NOT条件
must_notを指定
curl -XGET "http://localhost:9200/kibana_sample_data_logs/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"must_not": [
{
"term": {
"geo.src": "AZ"
}
}
]
}
}
}'
最後に
Elasticsearchのクエリを紹介しました。
この記事は随時更新していきます。
コメント