java操作EsApi不能忽略的步骤;
/**
* @author zhangxiao
* @qq 490433117
* @create_date 2021/9/8 11:54
*/
package com.foodie.elasticsearch;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.client.RequestOptions;
import org.elasticsearch.client.RestHighLevelClient;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;
@SpringBootTest
@RunWith(SpringRunner.class)
public class elasticsearchTest {
@Autowired
private RestHighLevelClient restHighLevelClient;
@Test
public void index() {
SearchRequest searchRequest = new SearchRequest();
// 1.指定索引
searchRequest.indices("kibana_sample_data_ecommerce");
// 2.指定检索条件DSL
SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder();
// 3.构造检索条件
searchSourceBuilder.query(QueryBuilders.matchQuery("products.product_id", "9999"));
searchRequest.source(searchSourceBuilder);
try {
// 4.发送数据
SearchResponse response = restHighLevelClient.search(searchRequest, RequestOptions.DEFAULT);
long value1 = response.getHits().getTotalHits().value;
System.out.println(value1);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}
复杂查询这样操作
@Override
public SiemCriteria querySiemByEs(SiemCriteria siemCriteria) {
// es 查询
RestHighLevelClient esClient = Esclient.getClient();
SearchRequest searchRequest = new SearchRequest();
String[] winlogIndex = getWinlogIndex(siemCriteria);
if (winlogIndex == null || winlogIndex.length == 0) {
siemCriteria.setPageList(new ArrayList());
return siemCriteria;
}
searchRequest.indices(winlogIndex);
SearchSourceBuilder sourceBuilder = new SearchSourceBuilder();
sourceBuilder.fetchSource(fetchSource(siemCriteria), null);
sourceBuilder.sort("@timestamp", SortOrder.DESC);
sourceBuilder.size(siemCriteria.getPageSize());
sourceBuilder.from((siemCriteria.getCurrentPage() - 1) * siemCriteria.getPageSize());
// 建立一个bool查询
BoolQueryBuilder boolQueryBuilder = QueryBuilders.boolQuery();
boolQueryBuilder = rangeQuery(boolQueryBuilder, siemCriteria);
boolQueryBuilder = conditionQuery(boolQueryBuilder, siemCriteria);
sourceBuilder.query(boolQueryBuilder);
searchRequest.source(sourceBuilder);
//time out
sourceBuilder.timeout(new TimeValue(60, TimeUnit.SECONDS));
// 查询
SearchResponse response;
try {
response = esClient.search(searchRequest, RequestOptions.DEFAULT);
SearchHits hits = response.getHits();
Long totalHits = hits.getTotalHits().value;
siemCriteria.setTotalCount(totalHits.intValue());
siemCriteria.setPageList(hitsToList(hits));
} catch (IOException e) {
e.printStackTrace();
}
return siemCriteria;
}
1范围查询函数封装
private BoolQueryBuilder rangeQuery(BoolQueryBuilder boolQueryBuilder, SiemCriteria siemCriteria) {
Map<String, Object> condition = siemCriteria.getCondition();
Object start = condition.get("startTime");
Object end = condition.get("endTime");
if (null != start && null != end) {
return boolQueryBuilder.must(QueryBuilders.rangeQuery("@timestamp").gte(DateUtil.intToEsString((Integer) start)).lte(DateUtil.intToEsString((Integer) end)));
} else if (null != start) {
return boolQueryBuilder.must(QueryBuilders.rangeQuery("@timestamp").gte(DateUtil.intToEsString((Integer) start)));
} else if (null != end) {
return boolQueryBuilder.must(QueryBuilders.rangeQuery("@timestamp").lte(DateUtil.intToEsString((Integer) end)));
} else {
return boolQueryBuilder.must(QueryBuilders.rangeQuery("@timestamp").gte(DateUtil.intToEsString(DateUtil.getCurrentTime() - (60 * 60 * 24 * 3))));
}
}
2构建复杂条件
private BoolQueryBuilder conditionQuery(BoolQueryBuilder boolQueryBuilder, SiemCriteria siemCriteria) {
Map<String, Object> condition = siemCriteria.getCondition();
if (MapUtils.isNotEmpty(condition)) {
Object textval = condition.get("textval");
if (null != textval && StringUtil.isNotEmpty((String) textval)) {
boolQueryBuilder = boolQueryBuilder.must(QueryBuilders.multiMatchQuery(textval, new String[]{"message", "host.ip", "host.name"}));
}
Object ipaddr = condition.get("ip");
if (null != ipaddr && StringUtil.isNotEmpty((String) ipaddr)) {
boolQueryBuilder = boolQueryBuilder.must(QueryBuilders.termQuery("host.ip", ipaddr));
}
}
return boolQueryBuilder;
}
3设置需要返回的字段
// es 需要返回字段
private String[] fetchSource(SiemCriteria siemCriteria) {
Map<String, Object> condition = siemCriteria.getCondition();
Object sourceList = condition.get("sourceList");
if (null != sourceList) {
List<String> sourceList1 = (List) sourceList;
if (CollectionUtils.isNotEmpty(sourceList1)) {
String[] array = new String[sourceList1.size()];
for (int i = 0; i < sourceList1.size(); i++) {
array[i] = sourceList1.get(i);
}
return array;
}
}
return new String[]{
"message", // 消息
"@timestamp", // 时间
"log.level", // 事件等级
"log",
"host",
"message",
"winlog"
};
}
4返回结果处理
private ArrayList hitsToList(SearchHits hits) {
ArrayList<Map<String, Object>> list = new ArrayList<>();
for (SearchHit documentFields : hits) {
list.add(documentFields.getSourceAsMap());
}
return list;
}