#过滤10.0.0.0的client_ip
{
"query": {
"bool": {
"must": [
{
"match_all": {}
}],
"must_not": [
{
"wildcard": {
"client_ip": {
"value": "10.*.*.*"
}
}
}
]
}
}
}
#http_host为*.xxx.com,且排除10.*.*.*的IP
{
"query": {
"bool": {
"must": [
{
"match_all": {}
},
{
"wildcard": {
"http_host": {
"value": "*.xxx.com"
}
}
}
],
"must_not": [
{
"wildcard": {
"client_ip": {
"value": "10.*.*.*"
}
}
}
]
}
}
}
聚合client_ip
{
"query": {
"match_all": {}
},
"size": 20,
"aggs": {
"group_by_state": {
"terms": {
"field": "client_ip.keyword"
}
}
}
}
#es多条件查询
{
"query": {
"bool": {
"should": [
{"match_phrase": {"http_host": "xxx.com"}},
{"match_phrase": {"request_method": "POST"}},
{"match_phrase": {"request": "index.php?m=dbsource"}}
],
"minimum_should_match": 3
}
}
}
或者
{
"query": {
"bool": {
"minimum_should_match": 2,
"must": [
{
"match": {
"http_host": "c.huanqiu.com"
}
}
],
"should": [
{
"match_phrase": {
"request_method": "POST"
}
},
{
"match_phrase": {
"request": "index.php?m=member"
}
},
{
"match_phrase": {
"request": "index.php?m=dbsource"
}
}
]
}
}
}
#OR
{
"query": {
"bool": {
"must": [
{"match": {"http_host": "xxx.com"}},
{"match": {"request_method": "POST"}}
],
"should": [
{"match_phrase": {"request": "/index.php?m=member"}},
{"match_phrase": {"request": "/index.php?m=dbsource"}}
],
"minimum_should_match": 1
}
}
}
#疑问:多条件查询下例,匹配request为index.php?m=dbsource,实际效果,把?和=都当作了分隔符
"request": "index.php?m=dbsource" 等同于
"request": "index.php m dbsource",匹配到index.php、m、dbsource其中任一字符串都予以显示
{
"size": 50,
"_source": [
"request"
],
"query": {
"bool": {
"must": [
{
"match": {
"http_host": "xxx.com"
}
},
{
"match": {
"request_method": "POST"
}
},
{
"match": {
"request": "index.php?m=dbsource"
}
}
]
}
}
}
可用:多条件查询,match_phrase
{
"query": {
"bool": {
"should": [
{"match_phrase": {"http_host": "xxx.com"}},
{"match_phrase": {"request_method": "POST"}},
{"match_phrase": {"request": "index.php?m=dbsource"}}
],
"minimum_should_match": 3
}
}
}
#多条件匹配
{
"_source": ["request"],
"query": {
"bool": {
"should": [
{"match_phrase": {"request": "index.php?m=member"}},
{"match_phrase": {"request": "index.php?m=dbsource"}}
],
"minimum_should_match": 1,
"must": [
{"match_phrase": {"http_host": "xxx.com"}},
{"match_phrase": {"request_method": "POST"}}
]
}
}
}
filter示例
{
"query": {
"bool": {
"filter": {
"term": {
"http_host": "www.xxx.com"
}
}
}
}
}
aggs聚合实例
{
"aggs": {
"sites": {
"terms": {
"field": "http_host.keyword",
"size": 10
}
}
}
}