kibana：一个查询中的相同字段连接了“and not”操作符和“和”而不是“优先权”

o7jaxewo 于 2021-06-15 发布在 ElasticSearch

关注(0)|答案(1)|浏览(351)

我必须搜索文本字段“body”包括“balance for subscriber with san”和“exclude”的文档，在调用reip适配器后找不到。我在kibana中创建kql请求：
body:“具有san的订阅者的余额”而不是body:“在调用reip适配器后找不到”
但结果包括两个条件，如：“用户与san的平衡”和“调用reip适配器后未找到”。为什么在我的结果中出现“带san的订户余额”和“调用reip适配器后找不到”？
检查kql请求：

"query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "filter": [
              {
                "bool": {
                  "should": [
                    {
                      "match_phrase": {
                        "Body": "Balance for subscriber with SAN"
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              },
              {
                "bool": {
                  "must_not": {
                    "bool": {
                      "should": [
                        {
                          "match_phrase": {
                            "Body": "was not found after invoking reip-adapter"
                          }
                        }
                      ],
                      "minimum_should_match": 1
                    }
                  }
                }
              }
            ]
          }
        },
        {
          "range": {
            "Timestamp": {
              "format": "strict_date_optional_time",
              "gte": "2020-08-29T08:24:55.067Z",
              "lte": "2020-08-29T10:24:55.067Z"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }

“and not”条件不起作用，响应：

-----omitted--------
        "_source": {
          "prospector": {},
          "Severity": "INFO",
          "uuid": "e71b207a-42a6-4b2c-98d1-b1094c578776",
          "Body": "Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter.",
          "tags": [
            "iptv",
            "beats_input_codec_plain_applied"
          ],
          "source": "/applogs/Iptv/app.log",
          "host": {
            "name": "e38"
          },
          "offset": 23097554,
          "pid": "2473",
          "Configuration": "IptvFacadeBean",
          "Timestamp": "2020-08-29T10:24:50.040Z",
          "@timestamp": "2020-08-29T10:24:50.446Z",
          "input": {}
        }
-----omitted--------

elasticsearch kibana lucene

来源：https://stackoverflow.com/questions/63646291/kibana-same-fields-in-one-query-concatenated-and-not-operator-and-and-and

1条答案

按热度按时间

dluptydi1#

正在为其编制索引的索引数据 Body 字段为：
“body”：“调用reip适配器后，找不到san=0400043102的订阅服务器的余额。”
这一数字与过去的（ 0400043102was )，因此生成的令牌是：

POST/_analyze

{
  "analyzer" : "standard",
  "text" : "Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter."
}

代币包括：

{
    "tokens": [
        {
            "token": "balance",
            "start_offset": 0,
            "end_offset": 7,
            "type": "<ALPHANUM>",
            "position": 0
        },
        {
            "token": "for",
            "start_offset": 8,
            "end_offset": 11,
            "type": "<ALPHANUM>",
            "position": 1
        },
        {
            "token": "subscriber",
            "start_offset": 12,
            "end_offset": 22,
            "type": "<ALPHANUM>",
            "position": 2
        },
        {
            "token": "with",
            "start_offset": 23,
            "end_offset": 27,
            "type": "<ALPHANUM>",
            "position": 3
        },
        {
            "token": "san",
            "start_offset": 28,
            "end_offset": 31,
            "type": "<ALPHANUM>",
            "position": 4
        },
        {
            "token": "0400043102was",       <-- note this
            "start_offset": 32,
            "end_offset": 45,
            "type": "<ALPHANUM>",
            "position": 5
        },
        {
            "token": "not",
            "start_offset": 46,
            "end_offset": 49,
            "type": "<ALPHANUM>",
            "position": 6
        },
        {
            "token": "found",
            "start_offset": 50,
            "end_offset": 55,
            "type": "<ALPHANUM>",
            "position": 7
        },
        {
            "token": "after",
            "start_offset": 56,
            "end_offset": 61,
            "type": "<ALPHANUM>",
            "position": 8
        },
        {
            "token": "invoking",
            "start_offset": 62,
            "end_offset": 70,
            "type": "<ALPHANUM>",
            "position": 9
        },
        {
            "token": "reip",
            "start_offset": 71,
            "end_offset": 75,
            "type": "<ALPHANUM>",
            "position": 10
        },
        {
            "token": "adapter",
            "start_offset": 76,
            "end_offset": 83,
            "type": "<ALPHANUM>",
            "position": 11
        }
    ]
}

因此，当你试图 match_phrase 这样地：

"should": [
                        {
                          "match_phrase": {
                            "Body": "was not found after invoking reip-adapter"
                          }
                        }
                      ]

没有代币 was 因此，文档匹配 must_not 条件不起作用。
索引数据：

{ "Body":"Balance for subscriber with SAN=0400043102" }
{ "Body":"Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter." }

搜索查询

{
  "query": {
    "bool": {
      "must": {
        "match_phrase": {
          "Body": "Balance for subscriber with SAN"
        }
      },
      "must_not": {
        "match_phrase": {
          "Body": "not found after invoking reip-adapter"
        }
      }
    }
  }
}

搜索结果：

"hits": [
            {
                "_index": "my_index",
                "_type": "_doc",
                "_id": "2",
                "_score": 1.055546,
                "_source": {
                    "Body": "Balance for subscriber with SAN=0400043102"
                }
            }
        ]

赞(0）回复(0）举报 2021-06-15

我来回答

kibana：一个查询中的相同字段连接了“and not”操作符和“和”而不是“优先权”

1条答案

相关问题

热门标签

最新问答