java操作EsApi不能忽略的步驟;
/**
* @author zhangxiao
* @qq 490433117
* @create_date 2021/9/8 11:54
*/
package com.foodie.elasticsearch;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.client.RequestOptions;
import org.elasticsearch.client.RestHighLevelClient;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;
@SpringBootTest
@RunWith(SpringRunner.class)
public class elasticsearchTest {
@Autowired
private RestHighLevelClient restHighLevelClient;
@Test
public void index() {
SearchRequest searchRequest = new SearchRequest();
// 1.指定索引
searchRequest.indices("kibana_sample_data_ecommerce");
// 2.指定檢索條件DSL
SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder();
// 3.構造檢索條件
searchSourceBuilder.query(QueryBuilders.matchQuery("products.product_id", "9999"));
searchRequest.source(searchSourceBuilder);
try {
// 4.傳送資料
SearchResponse response = restHighLevelClient.search(searchRequest, RequestOptions.DEFAULT);
long value1 = response.getHits().getTotalHits().value;
System.out.println(value1);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}
複雜查詢這樣操作
@Override
public SiemCriteria querySiemByEs(SiemCriteria siemCriteria) {
// es 查詢
RestHighLevelClient esClient = Esclient.getClient();
SearchRequest searchRequest = new SearchRequest();
String[] winlogIndex = getWinlogIndex(siemCriteria);
if (winlogIndex == null || winlogIndex.length == 0) {
siemCriteria.setPageList(new ArrayList());
return siemCriteria;
}
searchRequest.indices(winlogIndex);
SearchSourceBuilder sourceBuilder = new SearchSourceBuilder();
sourceBuilder.fetchSource(fetchSource(siemCriteria), null);
sourceBuilder.sort("@timestamp", SortOrder.DESC);
sourceBuilder.size(siemCriteria.getPageSize());
sourceBuilder.from((siemCriteria.getCurrentPage() - 1) * siemCriteria.getPageSize());
// 建立一個bool查詢
BoolQueryBuilder boolQueryBuilder = QueryBuilders.boolQuery();
boolQueryBuilder = rangeQuery(boolQueryBuilder, siemCriteria);
boolQueryBuilder = conditionQuery(boolQueryBuilder, siemCriteria);
sourceBuilder.query(boolQueryBuilder);
searchRequest.source(sourceBuilder);
//time out
sourceBuilder.timeout(new TimeValue(60, TimeUnit.SECONDS));
// 查詢
SearchResponse response;
try {
response = esClient.search(searchRequest, RequestOptions.DEFAULT);
SearchHits hits = response.getHits();
Long totalHits = hits.getTotalHits().value;
siemCriteria.setTotalCount(totalHits.intValue());
siemCriteria.setPageList(hitsToList(hits));
} catch (IOException e) {
e.printStackTrace();
}
return siemCriteria;
}1範圍查詢函式封裝
private BoolQueryBuilder rangeQuery(BoolQueryBuilder boolQueryBuilder, SiemCriteria siemCriteria) {
Map<String, Object> condition = siemCriteria.getCondition();
Object start = condition.get("startTime");
Object end = condition.get("endTime");
if (null != start && null != end) {
return boolQueryBuilder.must(QueryBuilders.rangeQuery("@timestamp").gte(DateUtil.intToEsString((Integer) start)).lte(DateUtil.intToEsString((Integer) end)));
} else if (null != start) {
return boolQueryBuilder.must(QueryBuilders.rangeQuery("@timestamp").gte(DateUtil.intToEsString((Integer) start)));
} else if (null != end) {
return boolQueryBuilder.must(QueryBuilders.rangeQuery("@timestamp").lte(DateUtil.intToEsString((Integer) end)));
} else {
return boolQueryBuilder.must(QueryBuilders.rangeQuery("@timestamp").gte(DateUtil.intToEsString(DateUtil.getCurrentTime() - (60 * 60 * 24 * 3))));
}
}2構建複雜條件
private BoolQueryBuilder conditionQuery(BoolQueryBuilder boolQueryBuilder, SiemCriteria siemCriteria) {
Map<String, Object> condition = siemCriteria.getCondition();
if (MapUtils.isNotEmpty(condition)) {
Object textval = condition.get("textval");
if (null != textval && StringUtil.isNotEmpty((String) textval)) {
boolQueryBuilder = boolQueryBuilder.must(QueryBuilders.multiMatchQuery(textval, new String[]{"message", "host.ip", "host.name"}));
}
Object ipaddr = condition.get("ip");
if (null != ipaddr && StringUtil.isNotEmpty((String) ipaddr)) {
boolQueryBuilder = boolQueryBuilder.must(QueryBuilders.termQuery("host.ip", ipaddr));
}
}
return boolQueryBuilder;
}3設定需要返回的欄位
// es 需要返回欄位
private String[] fetchSource(SiemCriteria siemCriteria) {
Map<String, Object> condition = siemCriteria.getCondition();
Object sourceList = condition.get("sourceList");
if (null != sourceList) {
List<String> sourceList1 = (List) sourceList;
if (CollectionUtils.isNotEmpty(sourceList1)) {
String[] array = new String[sourceList1.size()];
for (int i = 0; i < sourceList1.size(); i++) {
array[i] = sourceList1.get(i);
}
return array;
}
}
return new String[]{
"message", // 訊息
"@timestamp", // 時間
"log.level", // 事件等級
"log",
"host",
"message",
"winlog"
};
}4返回結果處理
private ArrayList hitsToList(SearchHits hits) {
ArrayList<Map<String, Object>> list = new ArrayList<>();
for (SearchHit documentFields : hits) {
list.add(documentFields.getSourceAsMap());
}
return list;
}本作品採用《CC 協議》,轉載必須註明作者和本文連結