chax根据关键字Action, MD5,模糊索引202*.log查询
curl -u user:'password' -H "Content-Type: application/json" 'http://127.1:9200/202*.log/_search?pretty' -XPOST -d '{
"query": {
"bool": {
"should": [
{
"bool": {
"must": [
{
"terms": {
"Action": ["CREATE"]
}
},
{
"match_phrase": {
"MD5": "9cb602258d4432668d887c3f3c86eca3"
}
}
]
}
}
]
}
},
"sort":[{"Timestamp":{"order":"desc"}}],
"size":3
}'
es返回消息,successful:15查询成功15条,failed:40查询失败40条记录。
{
"took" : 99,
"timed_out" : false,
"_shards" : {
"total" : 55,
"successful" : 15,
"skipped" : 0,
"failed" : 40,
"failures" : [
{
"shard" : 0,
"index" : "2022.log",
"node" : "o5LJ-M2eRlOvpc1DTMRkEg",
"reason" : {
"type" : "query_shard_exception",
"reason" : "No mapping found for 1717859176 in order to sort on",
"index_uuid" : "Cg_KPEIDSXKkALQVrTUYoQ",
"index" : "2022.log"
}
},
{
"shard" : 0,
"index" : "2023.log",
"node" : "o5LJ-M2eRlOvpc1DTMRkEg",
"reason" : {
"type" : "query_shard_exception",
"reason" : "No mapping found for 1717859176 in order to sort on",
"index_uuid" : "cl8DXfZeS0a2MBvuLFLdVg",
"index" : "2023.log"
}
}
]
},
"hits" : {
"total" : 0,
"max_score" : null,
"hits" : [ ]
}
}
找一个查询失败日志分析
{
"shard" : 0,
"index" : "2022.log",
"node" : "o5LJ-M2eRlOvpc1DTMRkEg",
"reason" : {
"type" : "query_shard_exception",
"reason" : "No mapping found for 1717859176 in order to sort on",
"index_uuid" : "Cg_KPEIDSXKkALQVrTUYoQ",
"index" : "2022.log"
}
}
“type” : “query_shard_exception”查询分片异常,
“reason” : “No mapping found for 1717859176 in order to sort on”,没有mapping
可能的原因:在mapping中没有数据,也就是被排序的字段Timestamp在mapping中不存在,或者说一个index对应的mapping是空的。因此我们先找出索引对应的mapping信息。
查询索引相关的mapping信息:
curl -u user:'password' -H "Content-Type: application/json" 'http://127.1:9200/202*.dat/_mapping?pretty'
结果:
{
"2022.log" : {
"mappings" : { }
},
"2023.log" : {
"mappings" : { }
},
"2024.log" : {
"mappings" : {
"product_name" : {
"properties" : {
"Timestamp" : {
"type" : "long"
}
}
}
}
}
}
根据返回信息,2022.log, 2023.log对应的mapping都是空的,es没有对这两个索引排序。
因此需要用unmapped_type字段来忽略没有
curl -u user:'password' -H "Content-Type: application/json" 'http://127.1:9200/202*.log/_search?pretty' -XPOST -d '{
"query": {
"bool": {
"should": [
{
"bool": {
"must": [
{
"terms": {
"Action": ["CREATE"]
}
},
{
"match_phrase": {
"MD5": "9cb602258d4432668d887c3f3c86eca3"
}
}
]
}
}
]
}
},
"sort":[{"Timestamp":{"order":"desc", "unmapped_type": "long"}}],
"size":3
}'
参考:
Elasticsearch – No mapping found for [field_name] in order to sort on
Sort search results | Elasticsearch Guide [7.13] | Elastic