java操作EsApi不能忽略的步骤;
| /** | |
| * @author zhangxiao | |
| * @qq 490433117 | |
| * @create_date 2021/9/8 11:54 | |
| */ | |
| package com.foodie.elasticsearch; | |
| import org.elasticsearch.action.search.SearchRequest; | |
| import org.elasticsearch.action.search.SearchResponse; | |
| import org.elasticsearch.client.RequestOptions; | |
| import org.elasticsearch.client.RestHighLevelClient; | |
| import org.elasticsearch.index.query.QueryBuilders; | |
| import org.elasticsearch.search.builder.SearchSourceBuilder; | |
| import org.junit.Test; | |
| import org.junit.runner.RunWith; | |
| import org.springframework.beans.factory.annotation.Autowired; | |
| import org.springframework.boot.test.context.SpringBootTest; | |
| import org.springframework.test.context.junit4.SpringRunner; | |
| public class elasticsearchTest { | |
| private RestHighLevelClient restHighLevelClient; | |
| public void index() { | |
| SearchRequest searchRequest = new SearchRequest(); | |
| // 1.指定索引 | |
| searchRequest.indices("kibana_sample_data_ecommerce"); | |
| // 2.指定检索条件DSL | |
| SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder(); | |
| // 3.构造检索条件 | |
| searchSourceBuilder.query(QueryBuilders.matchQuery("products.product_id", "9999")); | |
| searchRequest.source(searchSourceBuilder); | |
| try { | |
| // 4.发送数据 | |
| SearchResponse response = restHighLevelClient.search(searchRequest, RequestOptions.DEFAULT); | |
| long value1 = response.getHits().getTotalHits().value; | |
| System.out.println(value1); | |
| } catch (Exception e) { | |
| throw new RuntimeException(e); | |
| } | |
| } | |
| } |
复杂查询这样操作
| public SiemCriteria querySiemByEs(SiemCriteria siemCriteria) { | |
| // es 查询 | |
| RestHighLevelClient esClient = Esclient.getClient(); | |
| SearchRequest searchRequest = new SearchRequest(); | |
| String[] winlogIndex = getWinlogIndex(siemCriteria); | |
| if (winlogIndex == null || winlogIndex.length == 0) { | |
| siemCriteria.setPageList(new ArrayList()); | |
| return siemCriteria; | |
| } | |
| searchRequest.indices(winlogIndex); | |
| SearchSourceBuilder sourceBuilder = new SearchSourceBuilder(); | |
| sourceBuilder.fetchSource(fetchSource(siemCriteria), null); | |
| sourceBuilder.sort("@timestamp", SortOrder.DESC); | |
| sourceBuilder.size(siemCriteria.getPageSize()); | |
| sourceBuilder.from((siemCriteria.getCurrentPage() - 1) * siemCriteria.getPageSize()); | |
| // 建立一个bool查询 | |
| BoolQueryBuilder boolQueryBuilder = QueryBuilders.boolQuery(); | |
| boolQueryBuilder = rangeQuery(boolQueryBuilder, siemCriteria); | |
| boolQueryBuilder = conditionQuery(boolQueryBuilder, siemCriteria); | |
| sourceBuilder.query(boolQueryBuilder); | |
| searchRequest.source(sourceBuilder); | |
| //time out | |
| sourceBuilder.timeout(new TimeValue(60, TimeUnit.SECONDS)); | |
| // 查询 | |
| SearchResponse response; | |
| try { | |
| response = esClient.search(searchRequest, RequestOptions.DEFAULT); | |
| SearchHits hits = response.getHits(); | |
| Long totalHits = hits.getTotalHits().value; | |
| siemCriteria.setTotalCount(totalHits.intValue()); | |
| siemCriteria.setPageList(hitsToList(hits)); | |
| } catch (IOException e) { | |
| e.printStackTrace(); | |
| } | |
| return siemCriteria; | |
| } |
1范围查询函数封装
| private BoolQueryBuilder rangeQuery(BoolQueryBuilder boolQueryBuilder, SiemCriteria siemCriteria) { | |
| Map<String, Object> condition = siemCriteria.getCondition(); | |
| Object start = condition.get("startTime"); | |
| Object end = condition.get("endTime"); | |
| if (null != start && null != end) { | |
| return boolQueryBuilder.must(QueryBuilders.rangeQuery("@timestamp").gte(DateUtil.intToEsString((Integer) start)).lte(DateUtil.intToEsString((Integer) end))); | |
| } else if (null != start) { | |
| return boolQueryBuilder.must(QueryBuilders.rangeQuery("@timestamp").gte(DateUtil.intToEsString((Integer) start))); | |
| } else if (null != end) { | |
| return boolQueryBuilder.must(QueryBuilders.rangeQuery("@timestamp").lte(DateUtil.intToEsString((Integer) end))); | |
| } else { | |
| return boolQueryBuilder.must(QueryBuilders.rangeQuery("@timestamp").gte(DateUtil.intToEsString(DateUtil.getCurrentTime() - (60 * 60 * 24 * 3)))); | |
| } | |
| } |
2构建复杂条件
| private BoolQueryBuilder conditionQuery(BoolQueryBuilder boolQueryBuilder, SiemCriteria siemCriteria) { | |
| Map<String, Object> condition = siemCriteria.getCondition(); | |
| if (MapUtils.isNotEmpty(condition)) { | |
| Object textval = condition.get("textval"); | |
| if (null != textval && StringUtil.isNotEmpty((String) textval)) { | |
| boolQueryBuilder = boolQueryBuilder.must(QueryBuilders.multiMatchQuery(textval, new String[]{"message", "host.ip", "host.name"})); | |
| } | |
| Object ipaddr = condition.get("ip"); | |
| if (null != ipaddr && StringUtil.isNotEmpty((String) ipaddr)) { | |
| boolQueryBuilder = boolQueryBuilder.must(QueryBuilders.termQuery("host.ip", ipaddr)); | |
| } | |
| } | |
| return boolQueryBuilder; | |
| } |
3设置需要返回的字段
| // es 需要返回字段 | |
| private String[] fetchSource(SiemCriteria siemCriteria) { | |
| Map<String, Object> condition = siemCriteria.getCondition(); | |
| Object sourceList = condition.get("sourceList"); | |
| if (null != sourceList) { | |
| List<String> sourceList1 = (List) sourceList; | |
| if (CollectionUtils.isNotEmpty(sourceList1)) { | |
| String[] array = new String[sourceList1.size()]; | |
| for (int i = 0; i < sourceList1.size(); i++) { | |
| array[i] = sourceList1.get(i); | |
| } | |
| return array; | |
| } | |
| } | |
| return new String[]{ | |
| "message", // 消息 | |
| "@timestamp", // 时间 | |
| "log.level", // 事件等级 | |
| "log", | |
| "host", | |
| "message", | |
| "winlog" | |
| }; | |
| } |
4返回结果处理
| private ArrayList hitsToList(SearchHits hits) { | |
| ArrayList<Map<String, Object>> list = new ArrayList<>(); | |
| for (SearchHit documentFields : hits) { | |
| list.add(documentFields.getSourceAsMap()); | |
| } | |
| return list; | |
| } |