20.ELK实时日志分析平台之Elasticsearch 查询简介

转载*请注明原始出处：http://blog.csdn.net/a464057216/article/details/50917500

接下来我们在模拟的大量数据中实战一番，从这里下载下来压缩包，解压后导入系统：

$ curl -XPOST 'localhost:9200/bank/account/_bulk?pretty'--data-binary "@accounts.json"

然后查询下系统索引情况：

$ curl 'localhost:9200/_cat/indices?v'health status index    pri rep docs.count docs.deleted store.size pri.store.sizeyellow open   bank       5   1       1000            0    450.3kb        450.3kbyellow open   customer   5   1          1            0      3.9kb          3.9kb

说明我们的bank索引中1k个document全部导入成功了。

执行Elasticsearch的查询有两种方法，一种是向REST URI传递参数，另一种是将查询条件封装在REST请求的body中。

使用REST URI的话，可以使用_search接口，比如查询customer索引下的所有document，可以使用：

$ curl 'localhost:9200/customer/_search?q=*&pretty'{  "took" : 22,  "timed_out" : false,  "_shards" : {    "total" : 5,    "successful" : 5,    "failed" : 0  },  "hits" : {    "total" : 1,    "max_score" : 1.0,    "hits" : [ {      "_index" : "customer",      "_type" : "external",      "_id" : "1",      "_score" : 1.0,      "_source" : {        "name" : "mars loo",        "age" : 25      }    } ]  }}

其中

• took：Elasticsearch执行查询的时间（ms）
• time_out：查询是否超时
• _shards：在多少个shards上执行的查询，包括成功和失败的情况。
• hits：查询结果
• hits.total：一共有多少个document命中查询条件
• hits.hits：需要显示的document

如果使用为请求body填充内容的方法，可以使用如下请求：

$ curl -XPOST 'localhost:9200/customer/_search?pretty' -d '> {> "query":{"match_all": {}}> }'{  "took" : 164,  "timed_out" : false,  "_shards" : {    "total" : 5,    "successful" : 5,    "failed" : 0  },  "hits" : {    "total" : 1,    "max_score" : 1.0,    "hits" : [ {      "_index" : "customer",      "_type" : "external",      "_id" : "1",      "_score" : 1.0,      "_source" : {        "name" : "mars loo",        "age" : 25      }    } ]  }}

在详细介绍Elasticsearch采用的这个查询请求body的语法之前，我们先看一下刚刚的body内容：

{    "query": {"match_all": {}}}

query表示我们使用_search API做查询动作，match_all是一种遍历所有document的查询，默认显示10个结果（如果结果大于10个的话）。

也可以限制查询结果的显示数量，比如(size的默认值是10)：

$ curl 'localhost:9200/bank/_search?pretty' -d '> {> "query":{"match_all": {}},> "size": 3> }'{  "took" : 185,  "timed_out" : false,  "_shards" : {    "total" : 5,    "successful" : 5,    "failed" : 0  },  "hits" : {    "total" : 1000,    "max_score" : 1.0,    "hits" : [ {      "_index" : "bank",      "_type" : "account",      "_id" : "25",      "_score" : 1.0,      "_source" : {        "account_number" : 25,        "balance" : 40540,        "firstname" : "Virginia",        "lastname" : "Ayala",        "age" : 39,        "gender" : "F",        "address" : "171 Putnam Avenue",        "employer" : "Filodyne",        "email" : "virginiaayala@filodyne.com",        "city" : "Nicholson",        "state" : "PA"      }    }, {      "_index" : "bank",      "_type" : "account",      "_id" : "44",      "_score" : 1.0,      "_source" : {        "account_number" : 44,        "balance" : 34487,        "firstname" : "Aurelia",        "lastname" : "Harding",        "age" : 37,        "gender" : "M",        "address" : "502 Baycliff Terrace",        "employer" : "Orbalix",        "email" : "aureliaharding@orbalix.com",        "city" : "Yardville",        "state" : "DE"      }    }, {      "_index" : "bank",      "_type" : "account",      "_id" : "99",      "_score" : 1.0,      "_source" : {        "account_number" : 99,        "balance" : 47159,        "firstname" : "Ratliff",        "lastname" : "Heath",        "age" : 39,        "gender" : "F",        "address" : "806 Rockwell Place",        "employer" : "Zappix",        "email" : "ratliffheath@zappix.com",        "city" : "Shaft",        "state" : "ND"      }    } ]  }}

某些情况下我们需要对查询结果做分页显示，比如显示第11~12个结果，可以使用如下请求（from的默认值是0）：

$ curl -XPOST 'localhost:9200/bank/_search?pretty' -d '> {> "query":{"match_all":{}},> "from":10,> "size":2> }'{  "took" : 5,  "timed_out" : false,  "_shards" : {    "total" : 5,    "successful" : 5,    "failed" : 0  },  "hits" : {    "total" : 1000,    "max_score" : 1.0,    "hits" : [ {      "_index" : "bank",      "_type" : "account",      "_id" : "227",      "_score" : 1.0,      "_source" : {        "account_number" : 227,        "balance" : 19780,        "firstname" : "Coleman",        "lastname" : "Berg",        "age" : 22,        "gender" : "M",        "address" : "776 Little Street",        "employer" : "Exoteric",        "email" : "colemanberg@exoteric.com",        "city" : "Eagleville",        "state" : "WV"      }    }, {      "_index" : "bank",      "_type" : "account",      "_id" : "253",      "_score" : 1.0,      "_source" : {        "account_number" : 253,        "balance" : 20240,        "firstname" : "Melissa",        "lastname" : "Gould",        "age" : 31,        "gender" : "M",        "address" : "440 Fuller Place",        "employer" : "Buzzopia",        "email" : "melissagould@buzzopia.com",        "city" : "Lumberton",        "state" : "MD"      }    } ]      }}

细心的人可能会注意到，查询结果并不是按照_id字段排序的，如果要对查询结果进行排序，可以使用如下方法（按照balance字段降序排列）：

curl -XPOST 'localhost:9200/bank/_search?pretty' -d '{  "query": { "match_all": {} },  "sort": { "balance": { "order": "desc" } }}'

如果觉得我的文章对您有帮助，欢迎关注我(CSDN:Mars Loo的博客)或者为这篇文章点赞，谢谢！