在Elasticsearch中查询日期范围
[英]query on a date range in elasticsearch
问题描述
I want to get documents from last 30 days in elastic search but it returns empty. 
我想通过弹性搜索获取最近30天的文档,但返回的是空的。
it is my mapping: 这是我的映射:
PUT /books
{
"mappings": {
"impressions": {
"properties": {
"booksCreated" : {
"type": "date",
"format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis",
"index": true
}
}
}
}
}
and it is my query: 这是我的查询:
POST /books/_search?size=0
{
"aggs": {
"range": {
"date_range": {
"field": "booksCreated",
"format": "yyyy-MM-dd",
"ranges": [
{ "to": "now" },
{ "from": "now-1M/M" }
]
}
}
}
}
I've tried all possible ways but it returns empty. 我尝试了所有可能的方法,但是返回的是空的。
but i can query on @timestamp field 但我可以查询@timestamp字段
the problem is that logstash changes the field type from date to string. 问题是,logstash将字段类型从日期更改为字符串。 my json is : 我的json是:
{
"index":"books",
"type":"book",
"body":{
"impressions":{
"_source":{
"enabled":true
},
"properties":{
"BookCreated":"2017-09-18 12:18:39"
}
}
}
}
and my logstash config: 和我的logstash配置:
input {
file {
path => "E:\data2\log\logstash.log"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => json
}
}
filter {
mutate {
strip => ["message"]
}
}
output {
elasticsearch {
hosts => "localhost"
index => "books"
document_type => "book"
}
}
i will log the json to a log file and logstash send them to elasticsearch 我将json记录到日志文件中,然后logstash将它们发送到elasticsearch
after adding json the mapping chasnges to this: 在添加json之后,映射映射如下:
{
"Books": {
"mappings": {
"Books": {
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BookCreated": {
"type": "date",
"format": "yyyy-MM-dd HH:mm:ss"
},
"body": {
"properties": {
"Books": {
"properties": {
"_source": {
"properties": {
"enabled": {
"type": "boolean"
}
}
},
"properties": {
"properties": {
"BookCreated": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
}
}
},
"host": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"index": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"type": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
}
}
it has two BookCreated one isdate and the other is text 它有两个BookCreated一个isdate而另一个是text
2 个解决方案
解决方案1
0 2017-09-17 11:13:16
You need to put from and to in the same range, like this: 您需要将from和to放在相同的范围内,如下所示:
POST /books/_search?size=0
{
"aggs": {
"range": {
"date_range": {
"field": "BookCreated",
"format": "yyyy-MM-dd",
"ranges": [
{
"from": "now-1M/M",
"to": "now"
}
]
}
}
}
}
解决方案2
0 2019-07-05 12:17:40
I'm pretty sure there is an issue with your mapping. 我很确定您的映射存在问题。 First of all, make sure the bookCreated field is named consistently, both in regards to naming as well as capitalization! 首先,请确保在命名和大写方面都对bookCreated字段进行统一命名!
Secondly, I believe the reason you have two bookCreated is because your mapping contains a bookCreated property. 其次,我相信您拥有两个bookCreated的原因是因为您的映射包含bookCreated属性。 Your JSON however contains a nested structure: body => properties => bookCreated . 但是,您的JSON包含一个嵌套结构: body => properties => bookCreated 。 Either flatten/transform the book in logstash to the required index structure, or model your index according to your json, which could look something like this? 要么以logstash形式将书展平/转换为所需的索引结构,要么根据json对索引进行建模,看起来像这样?
"mappings": {
"properties": {
"body": {
"type": "object",
"properties": {
"properties": {
"type": "object",
"properties": {
"bookCreated": {
"type": "date",
"format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis",
"index": true
}
}
}
}
}
}
}
Either way, I recommend you to set "dynamic": "strict" so you will actually see when you make a mistake in the mapping rather than just new fields being created 无论哪种方式,我都建议您设置"dynamic": "strict"这样您就可以真正看到何时在映射中出错,而不仅仅是创建新字段
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.