Kibana：一个查询中的相同字段连接“and not”运算符。 “AND”和“AND NOT”优先级答案

【问题标题】：Kibana: same fields in one query concatenated "and not" operator. "AND" and "AND NOT" precedenceKibana：一个查询中的相同字段连接“and not”运算符。 “AND”和“AND NOT”优先级
【发布时间】：2020-12-18 03:01:32
【问题描述】：

我必须搜索 文本字段“正文” 包含“SAN 订阅者余额”并排除“调用 reip-adapter 后未找到”的文档。我在 Kibana 中创建 KQL 请求：

正文：“SAN 订阅者的余额”而不是正文：“调用 reip-adapter 后未找到”

但结果包括两个条件：“SAN 的订阅者余额”和“调用 reip-adapter 后未找到”。为什么在我的结果中出现“使用 SAN 的订阅者的余额”和“在调用 reip-adapter 后找不到”？

检查 KQL 请求：

 "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "filter": [
              {
                "bool": {
                  "should": [
                    {
                      "match_phrase": {
                        "Body": "Balance for subscriber with SAN"
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              },
              {
                "bool": {
                  "must_not": {
                    "bool": {
                      "should": [
                        {
                          "match_phrase": {
                            "Body": "was not found after invoking reip-adapter"
                          }
                        }
                      ],
                      "minimum_should_match": 1
                    }
                  }
                }
              }
            ]
          }
        },
        {
          "range": {
            "Timestamp": {
              "format": "strict_date_optional_time",
              "gte": "2020-08-29T08:24:55.067Z",
              "lte": "2020-08-29T10:24:55.067Z"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }

“而不是”条件不起作用，响应：

-----omitted--------
        "_source": {
          "prospector": {},
          "Severity": "INFO",
          "uuid": "e71b207a-42a6-4b2c-98d1-b1094c578776",
          "Body": "Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter.",
          "tags": [
            "iptv",
            "beats_input_codec_plain_applied"
          ],
          "source": "/applogs/Iptv/app.log",
          "host": {
            "name": "e38"
          },
          "offset": 23097554,
          "pid": "2473",
          "Configuration": "IptvFacadeBean",
          "Timestamp": "2020-08-29T10:24:50.040Z",
          "@timestamp": "2020-08-29T10:24:50.446Z",
          "input": {}
        }
-----omitted--------

【问题讨论】：

如果它帮助您解决了您的问题，您能否点赞并接受我的回答：)

标签： elasticsearch lucene kibana

【解决方案1】：

您为Body 字段编制索引的索引数据是：

"Body": "SAN=0400043102 的订阅者的余额在之后找不到调用 reip 适配器。”

数字和was（0400043102was）之间没有差距，所以生成的token是：

POST/_analyze

{
  "analyzer" : "standard",
  "text" : "Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter."
}

令牌是：

{
    "tokens": [
        {
            "token": "balance",
            "start_offset": 0,
            "end_offset": 7,
            "type": "<ALPHANUM>",
            "position": 0
        },
        {
            "token": "for",
            "start_offset": 8,
            "end_offset": 11,
            "type": "<ALPHANUM>",
            "position": 1
        },
        {
            "token": "subscriber",
            "start_offset": 12,
            "end_offset": 22,
            "type": "<ALPHANUM>",
            "position": 2
        },
        {
            "token": "with",
            "start_offset": 23,
            "end_offset": 27,
            "type": "<ALPHANUM>",
            "position": 3
        },
        {
            "token": "san",
            "start_offset": 28,
            "end_offset": 31,
            "type": "<ALPHANUM>",
            "position": 4
        },
        {
            "token": "0400043102was",       <-- note this
            "start_offset": 32,
            "end_offset": 45,
            "type": "<ALPHANUM>",
            "position": 5
        },
        {
            "token": "not",
            "start_offset": 46,
            "end_offset": 49,
            "type": "<ALPHANUM>",
            "position": 6
        },
        {
            "token": "found",
            "start_offset": 50,
            "end_offset": 55,
            "type": "<ALPHANUM>",
            "position": 7
        },
        {
            "token": "after",
            "start_offset": 56,
            "end_offset": 61,
            "type": "<ALPHANUM>",
            "position": 8
        },
        {
            "token": "invoking",
            "start_offset": 62,
            "end_offset": 70,
            "type": "<ALPHANUM>",
            "position": 9
        },
        {
            "token": "reip",
            "start_offset": 71,
            "end_offset": 75,
            "type": "<ALPHANUM>",
            "position": 10
        },
        {
            "token": "adapter",
            "start_offset": 76,
            "end_offset": 83,
            "type": "<ALPHANUM>",
            "position": 11
        }
    ]
}

因此，当您尝试像这样执行match_phrase 时：

 "should": [
                        {
                          "match_phrase": {
                            "Body": "was not found after invoking reip-adapter"
                          }
                        }
                      ]

没有生成令牌was，因此，文档匹配并且must_not 条件不起作用。

索引数据：

{ "Body":"Balance for subscriber with SAN=0400043102" }
{ "Body":"Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter." }

搜索查询

 {
  "query": {
    "bool": {
      "must": {
        "match_phrase": {
          "Body": "Balance for subscriber with SAN"
        }
      },
      "must_not": {
        "match_phrase": {
          "Body": "not found after invoking reip-adapter"
        }
      }
    }
  }
}

搜索结果：

"hits": [
            {
                "_index": "my_index",
                "_type": "_doc",
                "_id": "2",
                "_score": 1.055546,
                "_source": {
                    "Body": "Balance for subscriber with SAN=0400043102"
                }
            }
        ]

【讨论】：