1、查看集群健康状态
[root@ELK-chaofeng01 ~]#curl -XGET http://172.16.0.51:9200/_cat/health?v epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent 1552784149 00:55:49 ELK-chaofeng green 3 3 44 22 0 0 0 0 - 100.0%
2、查看集群节点
[root@ELK-chaofeng01 ~]#curl -XGET http://172.16.0.51:9200/_cat/nodes?v ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name 172.16.0.52 13 22 0 0.00 0.06 0.12 mdi - elk02 172.16.0.51 13 97 0 0.00 0.01 0.05 mdi * elk01 172.16.0.53 12 97 0 0.00 0.01 0.05 mdi - elk03
3、查看master节点状态
[root@ELK-chaofeng01 ~]#curl -XGET http://172.16.0.51:9200/_cat/master?v id host ip node 8Z8Oi4ipRCmaAjKESa2-FA 172.16.0.51 172.16.0.51 elk01
4、查看ES集群安装了什么插件
[root@ELK-chaofeng01 ~]#curl -XGET http://172.16.0.51:9200/_cat/plugins?v name component version
没有任何插件此时
5、查看集群索引
[root@ELK-chaofeng01 ~]#curl -XGET http://172.16.0.51:9200/_cat/indices?v health status index uuid pri rep docs.count docs.deleted store.size pri.store.size green open logstash-apacheerrorlogs kBCaAVGcQfahh730CXsFyw 5 1 111 0 264kb 132kb green open .newkibana_1 aFFVpEqeTbSxQyJ48Djwyw 1 1 9 0 113.8kb 56.9kb green open .kibana_1 nmZWm-d5TGy6ZqMgvslPEQ 1 1 3 0 24kb 12kb green open logstash-apachelogs VIzul30TTpWltpIrgrPwEA 5 1 77 0 765.9kb 382.9kb green open sys 58eN-9CRRqGt8i-B5Ar-qQ 5 1 0 0 2.5kb 1.2kb green open logstash-apachehahalogs uSmB7bPmR5WbqIscyduvIA 5 1 5767 0 9.2mb 4.6mb
6、自定义显示节点状态。
先获取帮助
[root@ELK-chaofeng01 ~]#curl -XGET http://172.16.0.51:9200/_cat/nodes?help id | id,nodeId | unique node id pid | p | process id ip | i | ip address port | po | bound transport port http_address | http | bound http address version | v | es version
有非常多,想获取哪个就可以获取哪个。比如如下所示:
[root@ELK-chaofeng01 ~]#curl -XGET http://172.16.0.51:9200/_cat/nodes?h=name,ip,port,jdk elk02 172.16.0.52 9300 1.8.0_201 elk01 172.16.0.51 9300 1.8.0_201 elk03 172.16.0.53 9300 1.8.0_201
7、显示当前节点的ES信息
[root@ELK-chaofeng01 ~]#curl http://172.16.0.51:9200 { "name" : "elk01", "cluster_name" : "ELK-chaofeng", "cluster_uuid" : "5VIF1_SdQdGbRekuR9q4-A", "version" : { "number" : "6.5.2", "build_flavor" : "default", "build_type" : "tar", "build_hash" : "9434bed", "build_date" : "2018-11-29T23:58:20.891072Z", "build_snapshot" : false, "lucene_version" : "7.5.0", "minimum_wire_compatibility_version" : "5.6.0", "minimum_index_compatibility_version" : "5.0.0" }, "tagline" : "You Know, for Search" }
看到“you knoe , foe search ” 这表示当前ES安装成功。
8、安装插件,最著名的插件是HEAD插件。
查看我之前的博客,有讲如何安装HEAD插件的:https://www.cnblogs.com/FengGeBlog/p/10471710.html
9、添加索引和内容
第一行的“-H Content-Type:application/json” 要带上去,这是6.x与5.x下的区别,否则不能创建索引成功。
10、查找我们刚刚创建的索引
[root@ELK-chaofeng01 ~]#curl -XGET '172.16.0.51:9200/student/_search?pretty' { "took" : 184, "timed_out" : false, "_shards" : { "total" : 5, "successful" : 5, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : 1, "max_score" : 1.0, "hits" : [ { "_index" : "student", "_type" : "major", "_id" : "1", "_score" : 1.0, "_source" : { "name" : "Chao feng", "age" : 24, "course" : "English" } } ] } }
在索引的后面添加“_search”来查看指定索引的内容,默认是列出当前所有下的所有内容
11、查找指定索引下的指定内容,比如搜索“English”
[root@ELK-chaofeng01 ~]#curl -XGET '172.16.0.51:9200/student/_search?q="English"&pretty' { "took" : 12, "timed_out" : false, "_shards" : { "total" : 5, "successful" : 5, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : 1, "max_score" : 0.2876821, "hits" : [ { "_index" : "student", "_type" : "major", "_id" : "1", "_score" : 0.2876821, "_source" : { "name" : "Chao feng", "age" : 24, "course" : "English" } } ] } }
ES内部会自动进行大小写转换,默认是不区分大小写的。
11.1)HEAD插件上传
12)对某个索引的某个类型做搜索
[root@ELK-chaofeng01 ~]#curl -XGET '172.16.0.51:9200/student/major/_search?q="English"&pretty' { "took" : 19, "timed_out" : false, "_shards" : { "total" : 5, "successful" : 5, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : 1, "max_score" : 0.2876821, "hits" : [ { "_index" : "student", "_type" : "major", "_id" : "1", "_score" : 0.2876821, "_source" : { "name" : "Chao feng", "age" : 24, "course" : "English" } } ] } }
13)案例:对某个索引查看统计的个数
我想统计一下es集群中的某个索引中的“notice”有多少个,我之前采集日志向ES集群发送过去了,当时的日志中的“notice”行数是:
此时我在ES集群中使用搜索技术查看
完全正确,搜索的非常好。上面的默认查找方式是“_all”。
你也可以使用这种技术来切割,“loglevel:notice”,在前面加上冒号,表示对特定的类型进行匹配
要学会使用“q=Type:WORD”的方式来查询。
14)做简单查询
15)做复杂处理,注意写的格式;复杂处理的标志就是“query_string”。
注意加引号。