如何解决Kibana:同一查询中的相同字段串联了“ not not”运算符 “与”和“与非”优先级
我必须搜索文档,其中文本字段“ Body” 包括“使用SAN的订户余额”,并排除“调用reip-adapter后未找到”。我在Kibana中创建了KQL请求:
正文:“使用SAN的订阅者的余额”,而不是正文:“在调用reip-adapter之后未找到”
但是结果包括两个条件,例如:“使用SAN的用户平衡”和“在调用reip-adapter之后未找到”。为什么在我的结果中显示“与SAN的用户平衡”和“调用reip-adapter后未找到”?
检查KQL请求:
"query": {
"bool": {
"must": [],"filter": [
{
"bool": {
"filter": [
{
"bool": {
"should": [
{
"match_phrase": {
"Body": "Balance for subscriber with SAN"
}
}
],"minimum_should_match": 1
}
},{
"bool": {
"must_not": {
"bool": {
"should": [
{
"match_phrase": {
"Body": "was not found after invoking reip-adapter"
}
}
],"minimum_should_match": 1
}
}
}
}
]
}
},{
"range": {
"Timestamp": {
"format": "strict_date_optional_time","gte": "2020-08-29T08:24:55.067Z","lte": "2020-08-29T10:24:55.067Z"
}
}
}
],"should": [],"must_not": []
}
}
“不是”条件不起作用,响应:
-----omitted--------
"_source": {
"prospector": {},"Severity": "INFO","uuid": "e71b207a-42a6-4b2c-98d1-b1094c578776","Body": "Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter.","tags": [
"iptv","beats_input_codec_plain_applied"
],"source": "/applogs/Iptv/app.log","host": {
"name": "e38"
},"offset": 23097554,"pid": "2473","Configuration": "IptvFacadeBean","Timestamp": "2020-08-29T10:24:50.040Z","@timestamp": "2020-08-29T10:24:50.446Z","input": {}
}
-----omitted--------
解决方法
您要为Body字段建立索引的索引数据是:
“正文”:“在之后没有找到SAN = 0400043102的订户余额 调用reip-adapter。”
数字与was(0400043102was)之间没有空格,因此生成的令牌为:
POST/_analyze
{
"analyzer" : "standard","text" : "Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter."
}
令牌为:
{
"tokens": [
{
"token": "balance","start_offset": 0,"end_offset": 7,"type": "<ALPHANUM>","position": 0
},{
"token": "for","start_offset": 8,"end_offset": 11,"position": 1
},{
"token": "subscriber","start_offset": 12,"end_offset": 22,"position": 2
},{
"token": "with","start_offset": 23,"end_offset": 27,"position": 3
},{
"token": "san","start_offset": 28,"end_offset": 31,"position": 4
},{
"token": "0400043102was",<-- note this
"start_offset": 32,"end_offset": 45,"position": 5
},{
"token": "not","start_offset": 46,"end_offset": 49,"position": 6
},{
"token": "found","start_offset": 50,"end_offset": 55,"position": 7
},{
"token": "after","start_offset": 56,"end_offset": 61,"position": 8
},{
"token": "invoking","start_offset": 62,"end_offset": 70,"position": 9
},{
"token": "reip","start_offset": 71,"end_offset": 75,"position": 10
},{
"token": "adapter","start_offset": 76,"end_offset": 83,"position": 11
}
]
}
因此,当您尝试这样做match_phrase时:
"should": [
{
"match_phrase": {
"Body": "was not found after invoking reip-adapter"
}
}
]
未生成令牌was,因此文档匹配且must_not条件不起作用。
索引数据:
{ "Body":"Balance for subscriber with SAN=0400043102" }
{ "Body":"Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter." }
搜索查询
{
"query": {
"bool": {
"must": {
"match_phrase": {
"Body": "Balance for subscriber with SAN"
}
},"must_not": {
"match_phrase": {
"Body": "not found after invoking reip-adapter"
}
}
}
}
}
搜索结果:
"hits": [
{
"_index": "my_index","_type": "_doc","_id": "2","_score": 1.055546,"_source": {
"Body": "Balance for subscriber with SAN=0400043102"
}
}
]
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。