【发布时间】:2018-02-13 11:56:48
【问题描述】:
我使用kibana DEV Tools查询了一些范围数据,但是有2个命中出乎我的意料,为什么会这样?
查询:
{
"query" : {
"constant_score" : {
"filter" : {
"range" : {
"rss" : {
"gte": 3000000
}
}
}
}
}
}
结果:
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 69,
"successful": 69,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 2,
"max_score": 1,
"hits": [
{
"_index": "BBQ",
"_type": "BBQ",
"_id": "AWGJaCYkk-tGbWgj2e6R",
"_score": 1,
"_source": {
"message": [
"nodeProcessInfo"
],
"@timestamp": "2018-02-12T09:45:59.525Z",
"rss": "92636",
"@version": "1",
"host": "192.168.213.96"
}
},
{
"_index": "BBQ",
"_type": "BBQ",
"_id": "AWGJaJxzk-tGbWgj2e-V",
"_score": 1,
"_source": {
"message": [
"nodeProcessInfo"
],
"@timestamp": "2018-02-12T09:46:29.680Z",
"rss": "85272",
"@version": "1",
"host": "192.168.213.96"
}
}
]
}
}
范围查询的结果出乎我的意料,为什么出现了gte => 3000000而rss = 92636?
=======================2018.2.13编辑=========(1)
这样的日志:
“nodeProcessInfo|auth-server-1|auth|9618|1.9|1.2|98060|2018-2-12 6:33:43 PM|”
这样的过滤器:
filter {
if "nodeProcessInfo" in [message] {
mutate {
split => ["message", "|"]
add_field => {
"serverId" => "%{[message[1]]}"
}
add_field => {
"serverType" => "%{[message[2]]}"
}
add_field => {
"pid" => "%{[message[3]]}"
}
add_field => {
"cpuAvg" => "%{[message[4]]}"
}
add_field => {
"memAvg" => "%{[message[5]]}"
}
add_field => {
"rss" => "%{[message[6]]}"
}
add_field => {
"time" => "%{[message[7]]}"
}
convert => ["rss", "integer"] # I try convert rss to int, but failed
add_tag => "nodeProcessInfo"
}
}
}
=======================2018.2.13编辑=========(2)
我让转换代码在一个新的mutate中,它可以将“rss”变成int类型,但是范围查询的结果也是错误的,更改代码如下:
if "nodeProcessInfo" in [message] {
mutate {
split => ["message", "|"]
...
...
add_field => {
"rss" => "%{[message[6]]}"
}
}
mutate {
convert => ["rss", "integer"] # add a new mutate here
}
}
======================2018.2.13编辑=========(3)
终于找到rss'type转成int但range查询也出错的原因:
“您无法更改现有的映射类型,您需要使用正确的映射创建新索引并重新索引数据。”
所以我创建了一个新的字段名来代替 rss 并且范围查询的结果就是现在。
【问题讨论】:
标签: elasticsearch range