1.新建文档
文档存储路径:index/type/id
指定ID新增文档
PUT sfpay_log/waf/1
{
"eventName":"数据库,软件,引用 测试",
"title":"this is a test",
"device":"0001"
}
添加结果:创建成功
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1",
"_version": 1,
"result": "created",
"_shards": {
"total": 2,
"successful": 2,
"failed": 0
},
"_seq_no": 0,
"_primary_term": 1
}
上一个用put创建文档,还可以用post创建文档
POST sfpay_log/waf/2
{
"eventName":"软件测试 ",
"title":"this is three a test",
"device":"0011"
}
同样可以创建成功
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "2",
"_version": 1,
"result": "created",
"_shards": {
"total": 2,
"successful": 2,
"failed": 0
},
"_seq_no": 0,
"_primary_term": 1
}
未指定文档ID时,ElasticSearch会自动为文档随机生成ID
POST sfpay_log/waf
{
"eventName":"数据库测试 ",
"title":"this is also a test",
"device":"0002"
}
添加结果:
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "vpnbQWQB9Qq65NE64VPc",
"_version": 1,
"result": "created",
"_shards": {
"total": 2,
"successful": 2,
"failed": 0
},
"_seq_no": 2,
"_primary_term": 1
}
这里我们说一下put和post的区别
POST /uri 创建 DELETE /uri/xxx 删除 PUT /uri/xxx 更新或创建 GET /uri/xxx 查看
post不用加具体的id,它是作用在一个集合资源之上的(/uri),而PUT操作是作用在一个具体资源之上的(/uri/xxx)。
在ES中,如果不确定document的ID(documents具体含义见下),那么直接POST对应uri( “POST /website/blog” ),ES可以自己生成不会发生碰撞的UUID;
如果确定document的ID,比如 “PUT /website/blog/123”,那么执行创建或修改(修改时_version版本号提高1)
2.获取文档
查询指定id文档数据
GET sfpay_log/waf/1
查询结果
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1",
"_version": 2,
"found": true,
"_source": {
"eventName": "数据库,软件,引用 测试",
"title": "this is a test",
"device": "0001"
}
}
同样如果我们查询一个不存在的文档:sfpay_log/waf/100,返回结果
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "100",
"found": false
}
检查文档是否存在使用:HEAD
HEAD sfpay_log/waf/1
返回状态码:
200 - OK
如果检查的文档不存在:sfpay_log/waf/100
404 - Not Found
3.多文档获取multi get
mget多文档查询可以设置多个文档的查询条
GET /_mget
{
"docs": [
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1"
},
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "2"
}
]
}
如上面条件有相同的”_index“,可以将“_index”提取到路径中。
GET sfpay_log/_mget
{
"docs": [
{
"_type": "waf",
"_id": "1"
},
{
"_type": "waf",
"_id": "2"
}
]
}
同样的“_type”同样可以提取到路径中。
GET sfpay_log/waf/_mget
{
"docs": [
{
"_id": "1"
},
{
"_id": "2"
}
]
}
如果索引和类型都放在查询URL中,那么字段ID就可以放在一个数组中
GET sfpay_log/waf/_mget
{
"ids":["1","2"]
}
其中“_type”为可选条件字段
GET sfpay_log/_mget
{
"ids":["1","2"]
}
上面执行结果均为:
{
"docs": [
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1",
"_version": 1,
"found": true,
"_source": {
"eventName": "数据库,软件,引用 测试",
"title": "this is a test",
"device": "0001"
}
},
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "2",
"_version": 1,
"found": true,
"_source": {
"eventName": "软件测试 ",
"title": "this is three a test",
"device": "0011"
}
}
]
}
4.文档搜索
这里只介绍简单文档搜索
1.检索全部文档
GET sfpay_log/_search
{
"took": 7,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 4,
"max_score": 1,
"hits": [
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "_yoXRGQBt6c7eh0rEdv2",
"_score": 1,
"_source": {
"eventName": "数据库测试 ",
"title": "this is also a test",
"device": "0002"
}
},
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "2",
"_score": 1,
"_source": {
"eventName": "软件测试 ",
"title": "this is three a test",
"device": "0011"
}
},
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1",
"_score": 1,
"_source": {
"eventName": "数据库,软件,引用 测试",
"title": "this is a test",
"device": "0001"
}
},
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "_ipVQWQBt6c7eh0rKtu9",
"_score": 1,
"_routing": "lc",
"_source": {
"title": "多次查询数据",
"desc": "this is test",
"device": "0001"
}
}
]
}
}
2.term查询
term用于查询指定字段中包含指定分词的文档,只有查询分词和文档字段中的分词精确匹配时才能被检索到该文档。
GET sfpay_log/_search
{
"query": {
"term": {
"eventName": {
"value": "软"
}
}
}
}
由于这里我们没有用IK中文分词,每个汉字被看做独立的一个词。查询结果
{
"took": 3,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 2,
"max_score": 0.2876821,
"hits": [
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "2",
"_score": 0.2876821,
"_source": {
"eventName": "软件测试 ",
"title": "this is three a test",
"device": "0011"
}
},
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1",
"_score": 0.2876821,
"_source": {
"eventName": "数据库,软件,引用 测试",
"title": "this is a test",
"device": "0001"
}
}
]
}
}
3.terms查询
查询某个字段包含多个值时的搜索
GET sfpay_log/_search
{
"query": {
"terms": {
"title": [
"this",
"test"
]
}
}
}
这里搜索“title”及包含“this”又包含“test”。
{
"took": 14,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 3,
"max_score": 1,
"hits": [
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "_yoXRGQBt6c7eh0rEdv2",
"_score": 1,
"_source": {
"eventName": "数据库测试 ",
"title": "this is also a test",
"device": "0002"
}
},
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "2",
"_score": 1,
"_source": {
"eventName": "软件测试 ",
"title": "this is three a test",
"device": "0011"
}
},
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1",
"_score": 1,
"_source": {
"eventName": "数据库,软件,引用 测试",
"title": "this is a test",
"device": "0001"
}
}
]
}
}
4.match查询
与term精确查询不同,对于match查询,只要被查询字段中存在任何一个词项被匹配,就会搜索到该文档。
GET sfpay_log/_search
{
"query": {
"match": {
"eventName": "软测"
}
}
}
查询结果显示只要“eventName”字段中包含“软测”中的任何部分都会被搜索出来,”__score“作为匹配的得分,得分越高也就是匹配程度越高,排名越前。
{
"took": 3,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 3,
"max_score": 0.5753642,
"hits": [
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "2",
"_score": 0.5753642,
"_source": {
"eventName": "软件测试 ",
"title": "this is three a test",
"device": "0011"
}
},
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1",
"_score": 0.5753642,
"_source": {
"eventName": "数据库,软件,引用 测试",
"title": "this is a test",
"device": "0001"
}
},
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "_yoXRGQBt6c7eh0rEdv2",
"_score": 0.2876821,
"_source": {
"eventName": "数据库测试 ",
"title": "this is also a test",
"device": "0002"
}
}
]
}
}
5.更新文档
在ElasticSearch中文档数据是不能被改变的。如果我们要修改文档,实际上是ElasticSearch为我们新建了更高版本的文档替换原来版本文档。
1.更新数据
POST sfpay_log/waf/1
{
"eventName": "操作系统测试攻击",
"title": "this is a test",
"device": "0001"
}
更新成功时ElasticSearch为我们创建了”_version“为2版本的一个新文档。
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1",
"_version": 2,
"result": "updated",
"_shards": {
"total": 2,
"successful": 2,
"failed": 0
},
"_seq_no": 1,
"_primary_term": 2
}
注意:
- 版本加1。
- created标识为 false,因为同索引同类型下已经存在同ID的文档。
- 在ES内部,_version为1的文件已经被标记“删除”,并添加了一个完整的新文档。旧文档不会立即消失,但是不能再访问它。
我们查询刚才修改的文档
GET sfpay_log/waf/1
结果为被更新之后的文档
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1",
"_version": 2,
"found": true,
"_source": {
"eventName": "操作系统测试攻击",
"title": "this is a test",
"device": "0001"
}
}
2.更新字段
使用脚本更新文档,脚本可以在 update
API中用来改变 _source
的字段内容, 它在更新脚本中称为 ctx._source
。(同样适用_type,_index,_id,_version)
POST sfpay_log/waf/1/_update
{
"script": {
"source":"ctx._source.device=\"0002\""
}
}
执行更新成功
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1",
"_version": 3,
"result": "updated",
"_shards": {
"total": 2,
"successful": 2,
"failed": 0
},
"_seq_no": 2,
"_primary_term": 3
}
执行查询:GET sfpay_log/waf/1,可以获取执行更新后的文档。
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1",
"_version": 3,
"found": true,
"_source": {
"eventName": "操作系统测试攻击",
"title": "this is a test",
"device": "0002"
}
}
3.添加字段
同样操作,当更新的字段不存在时,添加该字段。下面执行添加phone字段
POST sfpay_log/waf/1/_update
{
"script": {
"source":"ctx._source.phone=\"199006006006\""
}
}
更新成功
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1",
"_version": 4,
"result": "updated",
"_shards": {
"total": 2,
"successful": 2,
"failed": 0
},
"_seq_no": 3,
"_primary_term": 3
}
再次查询获取该文档“phone”字段已经添加成功
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1",
"_version": 4,
"found": true,
"_source": {
"eventName": "操作系统测试攻击",
"title": "this is a test",
"device": "0002",
"phone": "199006006006"
}
}
4.查询更新(批量更新)
我们也可以在script语句时把source中的更新数据定义成参数形式,然后再后面的params中定义该参数的具体数值。
根据查询条件更新符合查询条件的所有文档。如下更新精确匹配“eventName”字段分词有“测”的所有文档。
POST sfpay_log/waf/1/_update
{
"script": {
"source": "ctx._source.phone=params.phone",
"params": {
"phone": "188199199199"
}
},
"query": {"term": {
"eventName": {
"value": "测"
}
}}
}
执行结果显示,有3个更新成功
{
"took": 46,
"timed_out": false,
"total": 3,
"updated": 3,
"deleted": 0,
"batches": 1,
"version_conflicts": 0,
"noops": 0,
"retries": {
"bulk": 0,
"search": 0
},
"throttled_millis": 0,
"requests_per_second": -1,
"throttled_until_millis": 0,
"failures": []
}
执行之后通过更新语句中的查询条件,可以获取到被更新的文档
GET sfpay_log/_search
{
"query": {
"term": {
"eventName": {
"value": "测"
}
}
}
}
获取到被更新所有文档
{
"took": 5,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 3,
"max_score": 0.2876821,
"hits": [
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "_yoXRGQBt6c7eh0rEdv2",
"_score": 0.2876821,
"_source": {
"phone": "188199199199",
"eventName": "数据库测试 ",
"title": "this is also a test",
"device": "0002"
}
},
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "2",
"_score": 0.2876821,
"_source": {
"phone": "188199199199",
"eventName": "软件测试 ",
"title": "this is three a test",
"device": "0011"
}
},
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "1",
"_score": 0.2876821,
"_source": {
"phone": "188199199199",
"eventName": "操作系统测试攻击",
"title": "this is a test",
"device": "0002"
}
}
]
}
}
6.删除文档
通过DELETE index/type/id 我们可以直接删除指定文档
删除id为:_ipVQWQBt6c7eh0rKtu9的文档
DELETE sfpay_log/waf/_ipVQWQBt6c7eh0rKtu9
执行结果
{
"_index": "sfpay_log",
"_type": "waf",
"_id": "_ipVQWQBt6c7eh0rKtu9",
"_version": 1,
"result": "not_found",
"_shards": {
"total": 2,
"successful": 2,
"failed": 0
},
"_seq_no": 9,
"_primary_term": 3
}