es DSL 常用查询语句

#过滤10.0.0.0的client_ip
{
  "query": {
    "bool": {
      "must": [
        {
          "match_all": {}
        }],
        "must_not": [
          {
            "wildcard": {
              "client_ip": {
                "value": "10.*.*.*"
              }
            }
          }
        ]
    }
  }
}

#http_host为*.xxx.com，且排除10.*.*.*的IP
{
  "query": {
    "bool": {
      "must": [
        {
          "match_all": {}
        },
        {
          "wildcard": {
            "http_host": {
              "value": "*.xxx.com"
            }
          }
        }
      ],
      "must_not": [
        {
          "wildcard": {
            "client_ip": {
              "value": "10.*.*.*"
            }
          }
        }
      ]
    }
  }
}

聚合client_ip
{
  "query": {
    "match_all": {}
  },
  "size": 20,
  "aggs": {
    "group_by_state": {
      "terms": {
        "field": "client_ip.keyword"
      }
    }
  }
}

#es多条件查询
{
  "query": {
    "bool": {
      "should": [
        {"match_phrase": {"http_host": "xxx.com"}},
        {"match_phrase": {"request_method": "POST"}},
        {"match_phrase": {"request": "index.php?m=dbsource"}}
        ],
        "minimum_should_match": 3
    }
  }
}
或者
{
  "query": {
    "bool": {
      "minimum_should_match": 2,
      "must": [
        {
          "match": {
            "http_host": "c.huanqiu.com"
          }
        }
      ],
      "should": [
        
        {
          "match_phrase": {
            "request_method": "POST"
          }
        },
        {
          "match_phrase": {
            "request": "index.php?m=member"
          }
        },
        {
          "match_phrase": {
          "request": "index.php?m=dbsource"
          }
        }
      ]
    }
  }
}

#OR
{
  "query": {
    "bool": {
      "must": [
        {"match": {"http_host": "xxx.com"}},
        {"match": {"request_method": "POST"}}
      ],
      "should": [
        {"match_phrase": {"request": "/index.php?m=member"}},
        {"match_phrase": {"request": "/index.php?m=dbsource"}}
      ],
      "minimum_should_match": 1
    }
  }
}

#疑问:多条件查询下例，匹配request为index.php?m=dbsource，实际效果，把？和=都当作了分隔符

"request": "index.php?m=dbsource" 等同于

"request": "index.php m dbsource"，匹配到index.php、m、dbsource其中任一字符串都予以显示

{
  "size": 50,
  "_source": [
    "request"
  ],
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "http_host": "xxx.com"
          }
        },
        {
          "match": {
            "request_method": "POST"
          }
        },
        {
          "match": {
            "request": "index.php?m=dbsource"
          }
        }
      ]
    }
  }
}

可用：多条件查询，match_phrase

{
  "query": {
    "bool": {
      "should": [
        {"match_phrase": {"http_host": "xxx.com"}},
        {"match_phrase": {"request_method": "POST"}},
        {"match_phrase": {"request": "index.php?m=dbsource"}}
      ],
      "minimum_should_match": 3
    }
  }
}

#多条件匹配
{
  "_source": ["request"],
  "query": {
    "bool": {
      "should": [
        {"match_phrase": {"request": "index.php?m=member"}},
        {"match_phrase": {"request": "index.php?m=dbsource"}}
      ],
      "minimum_should_match": 1,
      "must": [
        {"match_phrase": {"http_host": "xxx.com"}},
        {"match_phrase": {"request_method": "POST"}}
      ]
    }
  }
}

filter示例

{
  "query": {
    "bool": {
      "filter": {
        "term": {
          "http_host": "www.xxx.com"
        }
      }
    }
  }
}

aggs聚合实例

{
  "aggs": {
    "sites": {
      "terms": {
        "field": "http_host.keyword",
        "size": 10
      }
    }
  }
}