使用 NEST 从 elasticsearch 查询现有索引

Question

我们有一个带有 kibana 的 elasticsearch 安装，我想知道是否可以使用 NEST 编写一个查询来显示 .Net 程序的日志文件？

我尝试创建一个简单的 LogMessage POCO 类来提取消息，但没有成功。

[ElasticsearchType(IdProperty = "Id")]
public class LogMessage
{
    public Guid? Id { get; set; }

    public Source Source { get; set; }
}

public class Source
{
    public String Message { get; set; }
}

搜索代码很简单。

var local = new Uri("http://servername:9200");
var settings = new ConnectionSettings(local);
var elastic = new ElasticClient(settings);
var request = new SearchRequest
            {
                From = 0,
                Size = 10,
            };

var r = elastic.Search<LogMessage>(request);

1. 我的 LogMessage 类应该是什么样的？

kibana 中的事件如下所示。我们使用 serilog 将消息记录到 elasticsearch 服务器

{
  "_index": "oxyb-01-2016.08",
  "_type": "logevent",
  "_id": "AVbfrnje902hsaMqv0p2",
  "_score": 1,
  "_source": {
    "@timestamp": "2016-08-31T18:19:26.9228089+10:00",
    "level": "Debug",
    "messageTemplate": "Simple message",
    "message": "Simple message",
    "fields": {
      "Session": "AP2016831/08/2016 6:10:19 PM",
      "TX": "TX123-001 None",
      "ExecutionTime": 523792,
      "MethodTime": 109,
      "TransactionId": "6058862c-3f45-4956-8992-eb34eba0fa9b",
      "Workorder": "WoAP70906YY0831031604526",
    },
    "renderings": {
      "0": [
        {
          "Format": "0.00",
          "Rendering": "0.00"
        }
      ]
    }
  },
  "fields": {
    "@timestamp": [
      1472631566922
    ]
  }
}

Answer 1

来源是响应中 _source 属性中的所有内容

  "_source": {
    "@timestamp": "2016-08-31T18:19:26.9228089+10:00",
    "level": "Debug",
    "messageTemplate": "Simple message",
    "message": "Simple message",
    "fields": {
      "Session": "AP2016831/08/2016 6:10:19 PM",
      "TX": "TX123-001 None",
      "ExecutionTime": 523792,
      "MethodTime": 109,
      "TransactionId": "6058862c-3f45-4956-8992-eb34eba0fa9b",
      "Workorder": "WoAP70906YY0831031604526",
    },
    "renderings": {
      "0": [
        {
          "Format": "0.00",
          "Rendering": "0.00"
        }
      ]
    }
  },

所以你的LogMessage 类型应该有这些属性。看起来fields 可以包含任意键？如果是这种情况，您可能希望将其映射为Dictionary<string, object>；如果不是这种情况，则将其也映射为特定的 POCO 类型。在最简单的情况下，这样的映射将起作用

[ElasticsearchType(Name = "logevent")]
public class LogMessage
{
    [JsonProperty("@timestamp")]
    public DateTimeOffset Timestamp {get; set; }

    public string Level {get; set; }

    public string MessageTemplate {get; set; }

    public string Message {get; set; }

    public Dictionary<string, object> Fields {get; set; }

    public Dictionary<string, object[]> Renderings {get; set; }
}

我们可以使用以下方法按预期测试它的工作原理

void Main()
{
    var client = new ElasticClient();

    var json = @"{
    ""@timestamp"": ""2016-08-31T18:19:26.9228089+10:00"",
    ""level"": ""Debug"",
    ""messageTemplate"": ""Simple message"",
    ""message"": ""Simple message"",
    ""fields"": {
      ""Session"": ""AP2016831/08/2016 6:10:19 PM"",
      ""TX"": ""TX123-001 None"",
      ""ExecutionTime"": 523792,
      ""MethodTime"": 109,
      ""TransactionId"": ""6058862c-3f45-4956-8992-eb34eba0fa9b"",
      ""Workorder"": ""WoAP70906YY0831031604526"",
    },
    ""renderings"": {
        ""0"": [
          {
          ""Format"": ""0.00"",
          ""Rendering"": ""0.00""
        }
      ]
    }
  }";

  LogMessage log = null;

  using (var stream = new MemoryStream(Encoding.UTF8.GetBytes(json)))
    log = client.Serializer.Deserialize<LogMessage>(stream);

  // do something with log
}