如何傳遞值到外部查詢

tag-icon tag-icon curl elasticsearch elk
如何傳遞值到外部查詢

我有以下類似的日誌。

我創建了虛擬對象indexmapping如下所示創建dev-tools

PUT new
{
  "mappings": {
    "properties": {
      "@timestamp": {
        "type":   "date",
        "format": "yyyy-MM-dd HH:mm:ss.SSS"
      }
    }
  }
}

indexed數據如下,

PUT /new/_doc/1
{
  "@timestamp": "2021-11-05 08:12:14.534",
  "level": "INFO",
  "id": "1",
  "text": "website is accessed",
  "status": "clicked"
}

PUT /new/_doc/2
{
  "@timestamp": "2021-10-14 09:11:14.534",
  "level": "INFO",
  "id": "3",
  "text": "website is accessed",
  "status": "clicked"
}

PUT /new/_doc/3
{
  "@timestamp": "2021-09-09 02:08:20.534",
  "level": "INFO",
  "id": "4",
  "text": "website is accessed",
  "status": "clicked"
}

我可以使用以下request查詢來取得總計數,

GET new/_search
{
  "aggs": {},
  "size": 0,
  "fields": [],
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "match_phrase": {
                  "text": "website is accessed"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2021-10-01",
              "lte": "2021-10-30"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

response如下圖所示,

{
  "took" : 0,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  }
}

如您所見,我需要hardcode獲取date特定的值month,即獲取sept月份的相同信息,我需要date time range在curl請求中修改如下,

"range": {
  "@timestamp": {
    "gte": "2021-09-01",
    "lte": "2021-09-30"
    }
    }

下面是curl call request.

curl -u elastic:xxx  -XGET "http://10.10.10.10:9200/new/_search?pretty" -H 'Content-Type: application/json' -d'
{
  "aggs": {},
  "size": 0,
  "fields": [],
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "should": [
              {
                "match_phrase": {
                  "text": "website is accessed"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2021-10-01",
              "lte": "2021-10-30"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}'

我如何動態yearmonth(即沒有實際硬編碼它的請求本身)傳遞給curl請求,該請求將獲取該特定的資訊monthyear

更新 -

我可以使用下面的方法獲得上個月(11 月)或過去 2 個月(10 月)等的結果,

上個月 - Nov-

"gte": "now-M",
"lt": "now/M"

2個月 -Oct

"gte": "now-2M/M",
"lte": "now-2M/M"

但有沒有辦法提供所需的結果yearmonth檢索結果呢?

謝謝,

答案1

您可以使用日期數學具有完全定義的日期:

"range": {
  "@timestamp": {
    "gte": "2021-10-01",
    "lte": "2021-10-01||+1M/d"
  }
}

相關內容