ES查询语句

range match agg 排序 查询ES
使用 scan 获取查询结果大于 10000 的数据

时间查询

{
    "query": {
        "range" : {
            "@timestamp" : {
                "gte" : 1505534400000,
                "lte" : 1505620800000
            }
        }
    }
}

条件查询

{
  "query": {
    "bool": {
      "must": [
        {"match": {"event": "2"}},
        {"range": {
          "@timestamp": {
            "gte": 1505534400000,
            "lte": 1505620800000
          }
        }}
      ]
    }
  }
}

聚合

{
  "query": {
    "bool": {
      "must": [
        {"match": {"event": "2"}},
        {"range": {
          "@timestamp": {
            "gte": 1505534400000,
            "lte": 1505620800000
          }
        }}
      ]
    }
  },
    "aggs": {
    "classroom_ids": {
      "terms": {
        "field": "classroom"
      }
    }
  }
}

聚合排序取最大

GET index*/_search
{
  "query": {
    "bool": {
      "must": [
        {"range": {
          "@timestamp": {
            "gte": 1517270400000,
            "lte": 1517488758000
          }
        }},
        {"match": {"user_type": "STUDENT"}},
        {"match": {"version": "6.3.0"}}
      ]
    }
  }, 
  "aggs": {
    "class_ids": {
      "terms": {
        "field": "class_id",
        "size": 20
      },
      "aggs": {
        "max_timestamp": {
          "max": {
            "field": "@timestamp"
          }
        }
      }
    }
  }, 
  "size": 0
}

查询所有的记录 > 2000

from elasticsearch_dsl import Search, Q

def build_range(begin, end):
    return {'@timestamp': dict(gte=begin, lte=end)}

timestamp_dict = build_range(start_tp, end_tp)
search = Search(using=es, index='INDEX*', doc_type='DOCTYPE')\
        .filter('range', **timestamp_dict)\
        .query(Q('bool', must=[Q('match', field='python')]))

for hit in search.scan():
source = hit.to_dict()
source = {key: value
                 for key, value in source.items()
                 if key in [filed1, filed2 ...]}