【问题标题】:Why some fields are not fitrable via a bool query?为什么某些字段不能通过 bool 查询进行拟合?
【发布时间】:2019-02-13 18:47:19
【问题描述】:

我曾经认为我知道如何使用 bool 查询,但我之前所做的似乎不再起作用:某些字段可以通过 bool 查询过滤,而另一些则不能。

(我正在 V6 上进行测试,所以在此期间可能发生了一些变化,但 the documentation 似乎没有这样的建议)

查询

GET /security-center*/_search
{
  "query": {
    "match_all": {}
  }
}

输出文档如

{
  "took" : 5,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 1487073,
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "security-center-2019.01.24",
        "_type" : "doc",
        "_id" : "igzyfWgBcCggV6jwR96k",
        "_score" : 1.0,
        "_source" : {
          "vulns_port" : "49666",
          "hosts_vulns_scanners_0_loadavg" : "0.0",
          "vulns_patchpubdate" : "-1",
          "vulns_description" : "This script uses WMI to list the processes running on the remote host\nand listening on TCP / UDP ports.",
          "hosts_vulns_completedchecks" : "3046410",
          "vulns_family_id" : "20",
          "hosts_vulns_repository_description" : "CREATED",
          "hosts_vulns_completedips" : "30",
          "hosts_vulns_ownergroup_id" : "0",
          "hosts_vulns_ownergroup_name" : "Full Access",
          "host_dmz" : "False",
(...)

我将查询上面的两个字段:vulns_porthosts_vulns_ownergroup_name,完全从上面的文档中获取布尔条件。

案例一:vulns_port(正常)

我想获取vulns_port49666 的文档:

GET /security-center*/_search
{
  "query": {
    "bool": {
      "must": {
        "term": { "vulns_port" : "49666" }
      }
    }
  }
}

结果:

{
  "took" : 83,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 4142,
    "max_score" : 5.9115334,
    "hits" : [
      {
        "_index" : "security-center-2019.01.24",
        "_type" : "doc",
        "_id" : "PKT0fWgBHaYvxmURB5eY",
        "_score" : 5.9115334,
        "_source" : {
          "vulns_port" : "49666",
          "hosts_vulns_scanners_0_loadavg" : "0.03",
(...)

案例 2:hosts_vulns_ownergroup_name (KO)

我想获取hosts_vulns_ownergroup_nameFull Access 的文档:

GET /security-center*/_search
{
  "query": {
    "bool": {
      "must": {
        "term": { "hosts_vulns_ownergroup_name" : "Full Access" }
      }
    }
  }
}

结果:

{
  "took" : 18,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 0,
    "max_score" : null,
    "hits" : [ ]
  }
}

问题出在哪里?

【问题讨论】:

  • 你能加入你的映射吗?我们需要知道您的字段是如何被编入索引的。

标签: elasticsearch


【解决方案1】:

由于您使用的是 ES6,请尝试使用 .keyword 子字段:

GET /security-center*/_search
{
  "query": {
    "bool": {
      "must": {
        "term": { "hosts_vulns_ownergroup_name.keyword" : "Full Access" }
      }
    }
  }
}

【讨论】:

  • 你很快;)
  • 哦,是的,是的,是的——.keyword——之前已经咬过我一次,所以现在我会记住的。谢谢!
猜你喜欢
  • 2012-07-20
  • 1970-01-01
  • 1970-01-01
  • 2015-05-25
  • 2019-08-17
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
相关资源
最近更新 更多