ELK介绍
Near Realtime(近实时):Elasticsearch是一个近乎实时的搜索平台,这意味着从索引文档到可搜索文档之间只有一个轻微的延迟(通常是一秒钟)。
Cluster(集群):群集是一个或多个节点的集合,它们一起保存整个数据,并提供跨所有节点的联合索引和搜索功能。每个群集都有自己的唯一群集名称,节点通过名称加入群集。
Node(节点):节点是指属于集群的单个Elasticsearch实例,存储数据并参与集群的索引和搜索功能。可以将节点配置为按集群名称加入特定集群,默认情况下,每个节点都设置为加入一个名为elasticsearch的群集。
Index(索引):索引是一些具有相似特征的文档集合,类似于MySql中数据库的概念。
Type(类型):类型是索引的逻辑类别分区,通常,为具有一组公共字段的文档类型,类似MySql中表的概念。注意:在Elasticsearch 6.0.0及更高的版本中,一个索引只能包含一个类型。
Document(文档):文档是可被索引的基本信息单位,以JSON形式表示,类似于MySql中行记录的概念。
Shards(分片):当索引存储大量数据时,可能会超出单个节点的硬件限制,为了解决这个问题,Elasticsearch提供了将索引细分为分片的概念。分片机制赋予了索引水平扩容的能力、并允许跨分片分发和并行化操作,从而提高性能和吞吐量。
Replicas(副本):在可能出现故障的网络环境中,需要有一个故障切换机制,Elasticsearch提供了将索引的分片复制为一个或多个副本的功能,副本在某些节点失效的情况下提供高可用性。
Elasticsearch
下载
elasticsearch-7.10.2-windows-x86_64.zip
解压
IK
elasticsearch-plugin install https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v7.10.2/elasticsearch-analysis-ik-7.10.2.zip
启动
elasticsearch
验证
bin\elasticsearch-sql-cli http://localhost:9200
show tables;
Logstash
下载
logstash-7.10.2-windows-x86_64.zip
解压
配置
拷贝config/logstash-sample.conf bin目录下,并改名为logstash.conf
案例1:
| input { file{ path => "var/log/nginx/access.log" #type => "system" #start_position => "beginning" } } output { elasticsearch { hosts => ["192.168.13.129:9200"] index => "logstash-nginx-access" #index => "system-%{+YYYY.MM.dd}" } } |
案例2:
| input { tcp { mode => "server" host => "0.0.0.0" port => 4560 codec => json_lines type => "debug" } tcp { mode => "server" host => "0.0.0.0" port => 4561 codec => json_lines type => "error" } tcp { mode => "server" host => "0.0.0.0" port => 4562 codec => json_lines type => "business" } tcp { mode => "server" host => "0.0.0.0" port => 4563 codec => json_lines type => "record" } } filter{ if [type] == "record" { mutate { remove_field => "port" remove_field => "host" remove_field => "@version" } json { source => "message" remove_field => ["message"] } } } output { elasticsearch { hosts => "localhost:9200" index => "mall-%{type}-%{+YYYY.MM.dd}" } } |
json_line
logstash-plugin install logstash-codec-json_lines
启动
logstash -f logstash.conf
验证
http://localhost:9200/
Kibana
下载
kibana-7.10.2-windows-x86_64.zip
解压
中文
修改config/kibana.yml
i18n.locale: "zh-CN"
配置
修改config/kibana.yml
| a.修改kibana服务端口(默认:5601) #server.port: 5601 server.port: 5601 b.修改kibana服务ip(默认:localhost) #server.host: “localhost” server.host: “192.168.50.11” c.修改elasticsearch地址(默认:http://localhost:9200) 替换成你要替换的搜索引擎的地址 #elasticsearch.url: “http://localhost:9200” elasticsearch.url: “http://192.168.50.11:9200” |
启动
kibana
kibana -d
nohub kibana &
验证
ELK使用
以下均使用kibana的dev-tools操作elasticsearch,采用DSL语言。
集群状态
查看集群健康状态:GET /_cat/health?v
查看节点状态:GET /_cat/nodes?v
查看所有索引信息:GET /_cat/indices?v
索引操作
创建索引并查看;
PUT /customer
GET /_cat/indices?v
删除索引并查看;
DELETE /customer
GET /_cat/indices?v
类型操作
查看文档的类型;
GET /bank/account/_mapping
文档操作
在索引中添加文档;
PUT /customer/doc/1
{
"name": "John Doe"
}
查看索引中的文档;
GET /customer/doc/1
修改索引中的文档:
POST /customer/doc/1/_update
{
"doc": { "name": "Jane Doe" }
}
删除索引中的文档;
DELETE /customer/doc/1
对索引中的文档执行批量操作;
POST /customer/doc/_bulk
{"index":{"_id":"1"}}
{"name": "John Doe" }
{"index":{"_id":"2"}}
{"name": "Jane Doe" }
数据搜索
查询表达式(Query DSL)是一种非常灵活又富有表现力的查询语言,Elasticsearch使用它可以以简单的JSON接口来实现丰富的搜索功能,下面的搜索操作都将使用它。
数据准备
首先我们需要导入一定量的数据用于搜索,使用的是银行账户表的例子,数据结构如下:
{
"account_number": 0,
"balance": 16623,
"firstname": "Bradshaw",
"lastname": "Mckenzie",
"age": 29,
"gender": "F",
"address": "244 Columbus Place",
"employer": "Euron",
"email": "bradshawmckenzie@euron.com",
"city": "Hobucken",
"state": "CO"
}
我们先复制下需要导入的数据,数据地址: https://github.com/macrozheng/mall-learning/blob/master/document/json/accounts.json
然后直接使用批量操作来导入数据,注意本文所有操作都在Kibana的Dev Tools中进行;
POST /bank/account/_bulk
{
"index": {
"_id": "1"
}
}
{
"account_number": 1,
"balance": 39225,
"firstname": "Amber",
"lastname": "Duke",
"age": 32,
"gender": "M",
"address": "880 Holmes Lane",
"employer": "Pyrami",
"email": "amberduke@pyrami.com",
"city": "Brogan",
"state": "IL"
}
......省略若干条数据
导入完成后查看索引信息,可以发现bank索引中已经创建了1000条文档。
GET /_cat/indices?v
搜索入门
搜索全部
最简单的搜索,使用match_all来表示,例如搜索全部;
GET /bank/_search
{
"query": { "match_all": {} }
}
分页搜索
from表示偏移量,从0开始,size表示每页显示的数量;
GET /bank/_search
{
"query": { "match_all": {} },
"from": 0,
"size": 10
}
搜索排序
使用sort表示,例如按balance字段降序排列;
GET /bank/_search
{
"query": { "match_all": {} },
"sort": { "balance": { "order": "desc" } }
}
指定字段
搜索并返回指定字段内容,使用_source表示,例如只返回account_number和balance两个字段内容:
GET /bank/_search
{
"query": { "match_all": {} },
"_source": ["account_number", "balance"]
}
条件搜索
使用match表示匹配条件,例如搜索出account_number为20的文档:
GET /bank/_search
{
"query": {
"match": {
"account_number": 20
}
}
}
模糊匹配
文本类型字段的条件搜索,例如搜索address字段中包含mill的文档,对比上一条搜索可以发现,对于数值类型match操作使用的是精确匹配,对于文本类型使用的是模糊匹配;
GET /bank/_search
{
"query": {
"match": {
"address": "mill"
}
},
"_source": [
"address",
"account_number"
]
}
短语匹配
短语匹配搜索,使用match_phrase表示,例如搜索address字段中同时包含mill和lane的文档:
GET /bank/_search
{
"query": {
"match_phrase": {
"address": "mill lane"
}
}
}
组合搜索must
使用bool来进行组合,must表示同时满足,例如搜索address字段中同时包含mill和lane的文档;
GET /bank/_search
{
"query": {
"bool": {
"must": [
{ "match": { "address": "mill" } },
{ "match": { "address": "lane" } }
]
}
}
}
组合搜索should
should表示满足其中任意一个,搜索address字段中包含mill或者lane的文档;
GET /bank/_search
{
"query": {
"bool": {
"should": [
{ "match": { "address": "mill" } },
{ "match": { "address": "lane" } }
]
}
}
}
组合搜索must_not
must_not表示同时不满足,例如搜索address字段中不包含mill且不包含lane的文档;
GET /bank/_search
{
"query": {
"bool": {
"must_not": [
{ "match": { "address": "mill" } },
{ "match": { "address": "lane" } }
]
}
}
}
组合搜索must和must_not
组合must和must_not,例如搜索age字段等于40且state字段不包含ID的文档;
GET /bank/_search
{
"query": {
"bool": {
"must": [
{ "match": { "age": "40" } }
],
"must_not": [
{ "match": { "state": "ID" } }
]
}
}
}
过滤搜索
搜索过滤,使用filter来表示,例如过滤出balance字段在20000~30000的文档;
GET /bank/_search
{
"query": {
"bool": {
"must": { "match_all": {} },
"filter": {
"range": {
"balance": {
"gte": 20000,
"lte": 30000
}
}
}
}
}
}
搜索聚合
对搜索结果进行聚合,使用aggs来表示,类似于MySql中的group by,例如对state字段进行聚合,统计出相同state的文档数量;
GET /bank/_search
{
"size": 0,
"aggs": {
"group_by_state": {
"terms": {
"field": "state.keyword"
}
}
}
}
嵌套聚合
例如对state字段进行聚合,统计出相同state的文档数量,再统计出balance的平均值;
GET /bank/_search
{
"size": 0,
"aggs": {
"group_by_state": {
"terms": {
"field": "state.keyword"
},
"aggs": {
"average_balance": {
"avg": {
"field": "balance"
}
}
}
}
}
}
聚合搜索排序
对聚合搜索的结果进行排序,例如按balance的平均值降序排列;
GET /bank/_search
{
"size": 0,
"aggs": {
"group_by_state": {
"terms": {
"field": "state.keyword",
"order": {
"average_balance": "desc"
}
},
"aggs": {
"average_balance": {
"avg": {
"field": "balance"
}
}
}
}
}
}
分段聚合
按字段值的范围进行分段聚合,例如分段范围为age字段的[20,30] [30,40] [40,50],之后按gender统计文档个数和balance的平均值;
GET /bank/_search
{
"size": 0,
"aggs": {
"group_by_age": {
"range": {
"field": "age",
"ranges": [
{
"from": 20,
"to": 30
},
{
"from": 30,
"to": 40
},
{
"from": 40,
"to": 50
}
]
},
"aggs": {
"group_by_gender": {
"terms": {
"field": "gender.keyword"
},
"aggs": {
"average_balance": {
"avg": {
"field": "balance"
}
}
}
}
}
}
}
}
sql-cli
如果你不想使用Kibana来使用ES SQL的话,也可以使用ES自带的SQL CLI来查询,该命令位于ES的bin目录下。
使用如下命令启动SQL CLI:
elasticsearch-sql-cli http://localhost:9200
然后直接输入SQL命令即可查询了,注意要加分号。
SELECT account_number,address,age,balance FROM account LIMIT 10;
使用SQL查询ES有一定的局限性,没有原生的Query DSL那么强大,对于嵌套属性和某些函数的支持并不怎么好,但是平时用来查询下数据基本够用了。
分词器
使用默认分词器,可以发现默认分词器只是将中文逐词分隔,并不符合我们的需求;
GET /pms/_analyze
{
"text": "小米手机性价比很高",
"tokenizer": "standard"
}
使用中文分词器以后,可以将中文文本按语境进行分隔,可以满足我们的需求。
GET /pms/_analyze
{
"text": "小米手机性价比很高",
"tokenizer": "ik_max_word"
}
案例1:成绩
创建一个成绩索引,字段说明:
| 姓名:name 性别:sex 课程:course 成绩:Score |
建立索引,配置mapping。
name为text类型,用于全文检索(需要安装ik中文分词器插件),可视化统计时text类型的字段是不显示的;name_keyword为keyword类型,用于可视化时聚合。如果仅仅是测试kibana可视化,可以去掉name字段或"analyzer": “ik_max_word”。
| PUT chengji { "mappings": { "properties": { "name": { "type": "text", "analyzer": "ik_max_word" }, "name_keyword": { "type": "keyword" }, "sex": { "type": "keyword" }, "course": { "type": "keyword" }, "score": { "type": "integer" } } } } |
批量添加数据,打开Kibana的Dev Tools,运行如下命令:
| POST _bulk {"index":{"_index":"chengji","_type":"_doc"}} {"name":"张三","name_keyword":"张三","sex":"男","course":"语文","Score":76} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"张三","name_keyword":"张三","sex":"男","course":"数学","Score":95} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"张三","name_keyword":"张三","sex":"男","course":"英语","Score":58} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"李四","name_keyword":"李四","sex":"男","course":"语文","Score":68} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"李四","name_keyword":"李四","sex":"男","course":"数学","Score":45} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"李四","name_keyword":"李四","sex":"男","course":"英语","Score":37} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"王五","name_keyword":"王五","sex":"男","course":"语文","Score":81} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"王五","name_keyword":"王五","sex":"男","course":"数学","Score":74} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"王五","name_keyword":"王五","sex":"男","course":"英语","Score":64} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"马六","name_keyword":"马六","sex":"男","course":"语文","Score":69} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"马六","name_keyword":"马六","sex":"男","course":"数学","Score":93} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"马六","name_keyword":"马六","sex":"男","course":"英语","Score":77} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"小丽","name_keyword":"小丽","sex":"女","course":"语文","Score":84} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"小丽","name_keyword":"小丽","sex":"女","course":"数学","Score":61} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"小丽","name_keyword":"小丽","sex":"女","course":"英语","Score":88} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"小梅","name_keyword":"小梅","sex":"女","course":"语文","Score":85} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"小梅","name_keyword":"小梅","sex":"女","course":"数学","Score":78} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"小梅","name_keyword":"小梅","sex":"女","course":"英语","Score":92} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"周美","name_keyword":"周美","sex":"男","course":"语文","Score":96} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"周美","name_keyword":"周美","sex":"男","course":"数学","Score":97} {"index":{"_index":"chengji","_type":"_doc"}} {"name":"周美","name_keyword":"周美","sex":"男","course":"英语","Score":93} |
查询,验证
| POST chengji/_search {} |
查询结果如图所示,说明数据添加成功。
案例2:账户
导入数据:
在Kibana的Dev Tools中运行如下命令:
我们可以使用SHOW TABLES查看所有的表(ES中为索引)。
POST /_sql?format=txt
{
"query": "SHOW TABLES"
}
我们可以使用DESCRIBE语句查看表(ES中为索引)中有哪些字段,比如查看account表的字段,查询语句如下。
POST /_sql?format=txt
{
"query": "DESCRIBE account"
}
我们使用SQL来查询下前10条记录,可以通过format参数控制返回结果的格式,txt表示文本格式,看起来更直观点,默认为json格式。
在Kibana的Console中输入如下命令:
POST /_sql?format=txt
{
"query": "SELECT account_number,address,age,balance FROM account LIMIT 10"
}
查询结果显示如下。
当我们需要使用Query DSL时,也可以先使用SQL来查询,然后通过Translate API转换即可。
例如我们翻译以下查询语句:
POST /_sql/translate
{
"query": "SELECT account_number,address,age,balance FROM account WHERE age>32 LIMIT 10"
}
最终获取到Query DSL结果如下。
我们还可以将SQL和Query DSL混合使用,比如使用Query DSL来设置过滤条件。
例如查询age在30-35之间的记录,可以使用如下查询语句:
POST /_sql?format=txt
{
"query": "SELECT account_number,address,age,balance FROM account",
"filter": {
"range": {
"age": {
"gte" : 30,
"lte" : 35
}
}
},
"fetch_size": 10
}
查询结果展示如下:
| SQL | ES | 描述 |
| column | field | 数据库中表的字段与ES中的属性对应 |
| row | document | 数据库表中的行记录与ES中的文档对应 |
| table | index | 数据库中的表与ES中的索引对应 |
在ES中使用SQL查询的语法与在数据库中使用基本一致,具体格式如下:
SELECT select_expr [, ...]
[ FROM table_name ]
[ WHERE condition ]
[ GROUP BY grouping_element [, ...] ]
[ HAVING condition]
[ ORDER BY expression [ ASC | DESC ] [, ...] ]
[ LIMIT [ count ] ]
[ PIVOT ( aggregation_expr FOR column IN ( value [ [ AS ] alias ] [, ...] ) ) ]
可以使用WHERE语句设置查询条件,比如查询state字段为VA的记录,查询语句如下。
POST /_sql?format=txt
{
"query": "SELECT account_number,address,age,balance,state FROM account WHERE state='VA' LIMIT 10 "
}
查询结果展示如下:
我们可以使用GROUP BY语句对数据进行分组,统计出分组记录数量,最大age和平均balance等信息,查询语句如下。
POST /_sql?format=txt
{
"query": "SELECT state,COUNT(*),MAX(age),AVG(balance) FROM account GROUP BY state LIMIT 10"
}
我们可以使用HAVING语句对分组数据进行二次筛选,比如筛选分组记录数量大于15的信息,查询语句如下。
POST /_sql?format=txt
{
"query": "SELECT state,COUNT(*),MAX(age),AVG(balance) FROM account GROUP BY state HAVING COUNT(*)>15 LIMIT 10"
}
我们可以使用ORDER BY语句对数据进行排序,比如按照balance字段从高到低排序,查询语句如下。
POST /_sql?format=txt
{
"query": "SELECT account_number,address,age,balance,state FROM account ORDER BY balance DESC LIMIT 10 "
}
使用SQL查询ES中的数据,不仅可以使用一些SQL中的函数,还可以使用一些ES中特有的函数。
我们可以使用SHOW FUNCTIONS语句查看所有支持的函数,比如搜索所有带有DATE字段的函数可以使用如下语句。
POST /_sql?format=txt
{
"query": "SHOW FUNCTIONS LIKE '%DATE%'"
}
全文搜索函数是ES中特有的,当使用MATCH或QUERY函数时,会启用全文搜索功能,SCORE函数可以用来统计搜索评分。
使用MATCH函数查询address中包含Street的记录。
POST /_sql?format=txt
{
"query": "SELECT account_number,address,age,balance,SCORE() FROM account WHERE MATCH(address,'Street') LIMIT 10"
}
使用QUERY函数查询address中包含Street的记录。
POST /_sql?format=txt
{
"query": "SELECT account_number,address,age,balance,SCORE() FROM account WHERE QUERY('address:Street') LIMIT 10"
}
扫一扫
414
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
