【发布时间】:2019-02-13 18:47:19
【问题描述】:
我曾经认为我知道如何使用 bool 查询,但我之前所做的似乎不再起作用:某些字段可以通过 bool 查询过滤,而另一些则不能。
(我正在 V6 上进行测试,所以在此期间可能发生了一些变化,但 the documentation 似乎没有这样的建议)
查询
GET /security-center*/_search
{
"query": {
"match_all": {}
}
}
输出文档如
{
"took" : 5,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 1487073,
"max_score" : 1.0,
"hits" : [
{
"_index" : "security-center-2019.01.24",
"_type" : "doc",
"_id" : "igzyfWgBcCggV6jwR96k",
"_score" : 1.0,
"_source" : {
"vulns_port" : "49666",
"hosts_vulns_scanners_0_loadavg" : "0.0",
"vulns_patchpubdate" : "-1",
"vulns_description" : "This script uses WMI to list the processes running on the remote host\nand listening on TCP / UDP ports.",
"hosts_vulns_completedchecks" : "3046410",
"vulns_family_id" : "20",
"hosts_vulns_repository_description" : "CREATED",
"hosts_vulns_completedips" : "30",
"hosts_vulns_ownergroup_id" : "0",
"hosts_vulns_ownergroup_name" : "Full Access",
"host_dmz" : "False",
(...)
我将查询上面的两个字段:vulns_port 和 hosts_vulns_ownergroup_name,完全从上面的文档中获取布尔条件。
案例一:vulns_port(正常)
我想获取vulns_port 是49666 的文档:
GET /security-center*/_search
{
"query": {
"bool": {
"must": {
"term": { "vulns_port" : "49666" }
}
}
}
}
结果:
{
"took" : 83,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 4142,
"max_score" : 5.9115334,
"hits" : [
{
"_index" : "security-center-2019.01.24",
"_type" : "doc",
"_id" : "PKT0fWgBHaYvxmURB5eY",
"_score" : 5.9115334,
"_source" : {
"vulns_port" : "49666",
"hosts_vulns_scanners_0_loadavg" : "0.03",
(...)
案例 2:hosts_vulns_ownergroup_name (KO)
我想获取hosts_vulns_ownergroup_name 是Full Access 的文档:
GET /security-center*/_search
{
"query": {
"bool": {
"must": {
"term": { "hosts_vulns_ownergroup_name" : "Full Access" }
}
}
}
}
结果:
{
"took" : 18,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 0,
"max_score" : null,
"hits" : [ ]
}
}
问题出在哪里?
【问题讨论】:
-
你能加入你的映射吗?我们需要知道您的字段是如何被编入索引的。
标签: elasticsearch