【发布时间】:2015-08-31 15:23:54
【问题描述】:
TL;DR:在具有lte 条件的日期上使用范围过滤器永远不会返回该日期的记录。
在以下代码段中,关注@timestamp 字段。
查询:
POST logstash-*/logs/_search
{
"filter": {
"range": {
"@timestamp": {
"gte": null,
"lte": "2015-08-31T15:00:07.397Z",
"format" : "date_time"
}
}
},
"size": 20,
"from": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"fields": [
"*",
"@timestamp"
]
}
查询结果:
{
"took": 2,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 586,
"max_score": null,
"hits": [
{
"_index": "logstash-2015.08.31",
"_type": "logs",
"_id": "AU-ERb3Ndl1LVbEg-Dnb",
"_score": null,
"fields": {
"@timestamp": [
"2015-08-31T15:00:06.455Z"
]
},
"sort": [
1441033206455
]
}, (more hits...)
下一步:
我从第一个结果 ("2015-08-31T15:00:06.455Z") 中获取 @timestamp 值并将其放入同一查询中,在 lte 键下。
增强查询:
POST logstash-*/logs/_search
{
"filter": {
"range": {
"@timestamp": {
"gte": null,
"lte": "2015-08-31T15:00:06.455Z",
"format" : "date_time"
}
}
},
"size": 20,
"from": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"fields": [
"*",
"@timestamp"
]
}
增强查询结果:
{
"took": 6,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 585,
"max_score": null,
"hits": [
{
"_index": "logstash-2015.08.31",
"_type": "logs",
"_id": "AU-ERbH6dl1LVbEg-Dna",
"_score": null,
"fields": {
"@timestamp": [
"2015-08-31T15:00:03.871Z"
]
},
"sort": [
1441033203871
]
}, (more hits...)
正如您在上面看到的,我查询的日期记录没有出现在结果列表中。命中计数减 1,第一个结果是更早的时间,而不是我查询的确切时间。
正在使用的索引模板:
PUT _template/my_template
{
"template" : "logstash-*",
"mappings" : {
"logs" : {
"_source" : {"enabled" : "true"},
"properties" : {
"@timestamp" : { "type" : "date", "format" : "date_time" },
# more fields here
}
}
}
}
我使用的是弹性搜索 1.7.1。
谢谢!
【问题讨论】:
标签: elasticsearch elastic-stack