1、bool查询
2、使用match_phrase_prefix查询,避免分词切断查询条件,match_phrase_prefix可以进行模糊匹配
3、时间间隔查询
5、查询结果排除和包含某些字段,可以用host.name来表示层级
6、排序查询
GET applog-info-sms-send-service-zhxy-2021.10.08/_search
{
"query": {
"bool": {
"must": [{
"match_phrase_prefix": {
"message": "businessSmsSendParams"
}
},{
"match_phrase_prefix": {
"message": "senderId=348142809471942656"
}
},{
"range": {
"@timestamp":{
"gte": "2021-10-08 07:14:05",
"lte": "now",
"format": "yyyy-MM-dd HH:mm:ss",
"time_zone": "+8"
}
}
}
],
"must_not": [
{"match_phrase_prefix":{
"message": "/device/IOC/*"
}
}
}
},
"_source":{
"include":["host.name","message"],
"exclude":[
"log","ecs","agent","input","host.hostname"
]
},
"sort":{
"@timestamp":{
"order": "desc"
}
}
}
