kibana常用聚合查询DSL语句记录
2017-12-04 10:44
489 查看
--------
GET winlogbeat-2017.11.*/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"Appname": {
"value": "FTP"
}
}
},
{
"range": {
"@timestamp": {
"gte": "2017-11-26T00:00:00.000+08:00",
"lte": "2017-11-26T23:59:59.000+08:00"
}
}
}
],
"should": [
{
"term": {
"action": {
"value": "LIST"
}
}
},
{
"term": {
"action": {
"value": "RETR"
}
}
},
{
"term": {
"action": {
"value": "STOR"
}
}
},
{
"term": {
"action": {
"value": "DELE"
}
}
}
],
"minimum_number_should_match": 1,
"must_not": [
{
"term": {
"filedir": {
"value": "/%{[filesub][1]}"
}
}
},{
"term": {
"filedir": {
"value": "-"
}
}
},{
"match": {
"message": ".ok"
}
}
]
}
}
}
GET winlogbeat-2017.11.*/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"Appname": {
"value": "FTP"
}
}
},
{
"terms": {
"action": [
"RETR"
]
}
},
{
"range": {
"@timestamp": {
"gte": "2017-11-26T00:00:00.000+08:00",
"lte": "2017-11-26T23:59:59.000+08:00"
}
}
}
],
"must_not": [
{
"term": {
"filedir": {
"value": "/%{[filesub][1]}"
}
}
},{
"term": {
"filedir": {
"value": "-"
}
}
},{
"match": {
"message": ".ok"
}
}
]
}
}
}
------
GET winlogbeat-2017.11.25,winlogbeat-2017.11.26/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"Appname": {
"value": "FTP"
}
}
},
{
"terms": {
"action": [
"LIST",
"DELE",
"RETR",
"STOR"
]
}
},
{
"range": {
"@timestamp": {
"gte": "2017-11-26T00:00:00.000+08:00",
"lte": "2017-11-26T23:59:59.000+08:00"
}
}
}
],
"must_not": [
{
"term": {
"filedir": {
"value": "/%{[filesub][1]}"
}
}
},{
"term": {
"filedir": {
"value": "-"
}
}
},{
"match": {
"message": ".ok"
}
}
]
}
},
"size": 0,
"aggs": {
"ff": {
"terms": {
"field": "filedir",
"size": 100
}
}
}
}
------
GET winlogbeat-*/_search
{
"size": 0,
"query" : {
"bool" : {
"must" : [
{
"range" : {
"@timestamp" : {
"from" : 1511654400000,
"to" : 1511740800000,
"include_lower" : true,
"include_upper" : true,
"boost" : 1.0
}
}
},
{
"term" : {
"Appname" : {
"value" : "FTP",
"boost" : 1.0
}
}
},
{
"terms" : {
"action" : [
"LIST",
"STOR",
"DELE",
"RETR"
],
"boost" : 1.0
}
}
],
"must_not" : [
{
"match" : {
"message" : {
"query" : ".ok",
"operator" : "OR",
"prefix_length" : 0,
"max_expansions" : 50,
"fuzzy_transpositions" : true,
"lenient" : false,
"zero_terms_query" : "NONE",
"boost" : 1.0
}
}
},
{
"term" : {
"filedir" : {
"value" : "-",
"boost" : 1.0
}
}
},
{
"match" : {
"filedir" : {
"query" : "/%{[filesub][1]}",
"operator" : "OR",
"prefix_length" : 0,
"max_expansions" : 50,
"fuzzy_transpositions" : true,
"lenient" : false,
"zero_terms_query" : "NONE",
"boost" : 1.0
}
}
}
],
"disable_coord" : false,
"adjust_pure_negative" : true,
"boost" : 1.0
}
},
"aggregations" : {
"filedir_count" : {
"terms" : {
"field" : "filedir",
"size" : 10,
"shard_size" : -1,
"min_doc_count" : 1,
"shard_min_doc_count" : 0,
"show_term_doc_count_error" : false,
"order" : [
{
"_count" : "desc"
},
{
"_term" : "asc"
}
]
}
}
},
"ext" : { }
}
---------
RPT_C001_20171125.txt
GET winlogbeat-2017.11.25,winlogbeat-2017.11.26/_search
{
"size": 0,
"query" : {
"bool" : {
"must" : [
{
"range" : {
"@timestamp" : {
"from" : "2017-11-26T00:00:00.000+08:00",
"to" : "2017-11-26T23:59:59.000+08:00",
"include_lower" : true,
"include_upper" : true,
"boost" : 1.0
}
}
},
{
"term" : {
"Appname" : {
"value" : "FTP",
"boost" : 1.0
}
}
},
{
"terms" : {
"action" : [
"LIST",
"STOR",
"DELE",
"RETR"
],
"boost" : 1.0
}
}
],
"must_not" : [
{
"match" : {
"message" : {
"query" : ".ok",
"operator" : "OR",
"prefix_length" : 0,
"max_expansions" : 50,
"fuzzy_transpositions" : true,
"lenient" : false,
"zero_terms_query" : "NONE",
"boost" : 1.0
}
}
},
{
"term" : {
"filedir" : {
"value" : "-",
"boost" : 1.0
}
}
},
{
"match" : {
"filedir" : {
"query" : "/%{[filesub][1]}",
"operator" : "OR",
"prefix_length" : 0,
"max_expansions" : 50,
"fuzzy_transpositions" : true,
"lenient" : false,
"zero_terms_query" : "NONE",
"boost" : 1.0
}
}
}
],
"disable_coord" : false,
"adjust_pure_negative" : true,
"boost" : 1.0
}
},
"aggregations" : {
"aggTop" : {
"terms" : {
"field" : "filedir",
"size" : 50,
"shard_size" : -1,
"min_doc_count" : 1,
"shard_min_doc_count" : 0,
"show_term_doc_count_error" : false,
"order" : [
{
"_count" : "desc"
},
{
"_term" : "asc"
}
]
}
}
},
"ext" : { }
}
GET winlogbeat-2017.11.25,winlogbeat-2017.11.26/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"Appname": {
"value": "FTP"
}
}
},
{
"terms": {
"action": [
"LIST",
"DELE",
"RETR",
"STOR"
]
}
},
{
"range": {
"@timestamp": {
"gte": "2017-11-26T00:00:00.000+08:00",
"lte": "2017-11-26T23:59:59.000+08:00"
}
}
}
],
"must_not": [
{
"term": {
"filedir": {
"value": "/%{[filesub][1]}"
}
}
},{
"term": {
"filedir": {
"value": "-"
}
}
},{
"match": {
"message": ".ok"
}
}
]
}
},
"size": 0,
"aggs": {
"ff": {
"terms": {
"field": "filedir",
"size": 100
}
}
}
}
GET winlogbeat-2017.11.*/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"Appname": {
"value": "FTP"
}
}
},
{
"term": {
"filedir": {
"value": "/SJPT"
}
}
},
{
"terms": {
"action": [
"LIST",
"DELE",
"RETR",
"STOR"
]
}
},
{
"range": {
"@timestamp": {
"gte": "2017-11-26T00:00:00.000+08:00",
"lte": "2017-11-26T23:59:59.000+08:00"
}
}
}
],
"must_not": [
{
"term": {
"filedir": {
"value": "/%{[filesub][1]}"
}
}
},{
"term": {
"filedir": {
"value": "-"
}
}
},{
"match": {
"message": ".ok"
}
}
]
}
}
}
------
GET winlogbeat-2017.11.*/_search
{
"size": 0,
"query" : {
"bool" : {
"must" : [
{
"range" : {
"@timestamp" : {
"from" : "2017-11-26T00:00:00.000+08:00",
"to" : "2017-11-26T23:59:59.000+08:00",
"include_lower" : true,
"include_upper" : true,
"boost" : 1.0
}
}
},
{
"term" : {
"Appname" : {
"value" : "FTP",
"boost" : 1.0
}
}
},
{
"term" : {
"action" : {
"value" : "LIST",
"boost" : 1.0
}
}
}
],
"must_not" : [
{
"match" : {
"message" : {
"query" : ".ok",
"operator" : "OR",
"prefix_length" : 0,
"max_expansions" : 50,
"fuzzy_transpositions" : true,
"lenient" : false,
"zero_terms_query" : "NONE",
"boost" : 1.0
}
}
},
{
"term" : {
"filedir" : {
"value" : "-",
"boost" : 1.0
}
}
},
{
"match" : {
"filedir" : {
"query" : "/%{[filesub][1]}",
"operator" : "OR",
"prefix_length" : 0,
"max_expansions" : 50,
"fuzzy_transpositions" : true,
"lenient" : false,
"zero_terms_query" : "NONE",
"boost" : 1.0
}
}
}
],
"disable_coord" : false,
"adjust_pure_negative" : true,
"boost" : 1.0
}
},
"aggregations" : {
"aggTop" : {
"terms" : {
"field" : "filedir",
"size" : 50,
"shard_size" : -1,
"min_doc_count" : 1,
"shard_min_doc_count" : 0,
"show_term_doc_count_error" : false,
"order" : [
{
"_count" : "desc"
},
{
"_term" : "asc"
}
]
}
},
"aggList" : {
"terms" : {
"field" : "account",
"size" : 50,
"shard_size" : -1,
"min_doc_count" : 1,
"shard_min_doc_count" : 0,
"show_term_doc_count_error" : false,
"order" : [
{
"_count" : "desc"
},
{
"_term" : "asc"
}
]
}
}
},
"ext" : { }
}
GET winlogbeat-2017.11.*/_search
{
"query": {
"bool": {
"must": [
{
"term": {
"Appname": {
"value": "FTP"
}
}
},
{
"term": {
"account": {
"value": "ICCCUAT\\uatjc06400"
}
}
},
{
"terms": {
"action": [
"LIST"
]
}
},
{
"range": {
"@timestamp": {
"gte": "2017-11-26T00:00:00.000+08:00",
"lte": "2017-11-26T23:59:59.000+08:00"
}
}
}
],
"must_not": [
{
"term": {
"filedir": {
"value": "/%{[filesub][1]}"
}
}
},{
"term": {
"filedir": {
"value": "-"
}
}
},{
"match": {
"message": ".ok"
}
}
]
}
}
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- SQL重复记录查询常用语句
- 常用Mysql查询语句记录
- mysql 常用查询语句记录
- 常用sql语句之删除或查询单个字段重复数据的记录
- SQL重复记录查询常用语句
- MySQL数据库查询常用语句
- [MS SQL]SQL语句查询每个分组的前N条记录的实现方法
- Mysql常用查询语句
- 关于SQL最大值查询语句的记录
- MySQL常用查询语句总结(转)
- Oracle常用sql语句(三)之子查询
- Elasticsearch学习记录(1.安装,简单的查询,聚合,防止数据重复,冲突控制等)
- SQL语句 查询及删除重复记录的方法大全
- SQL一些常用的查询语句
- mysql 查询随机条记录的sql语句和php计算概率
- SQL SERVER 月、季、年统计与常用查询语句汇总
- 记录下最近项目中常用到的SQL语句
- MySQL中distinct语句去查询重复记录及相关的性能讨论
- MySQL中优化sql语句查询常用的30种方法
- 常用SQL查询语句