|
1、观察ES集群状态:curl http://localhost:9200/_cluster/health?pretty
2、观察集群内各索引状态:curl http://localhost:9200/_cat/indices
参考:
Eleastisearch6.0.0由单节点升级到多节点集群cluster时候出现的分片同步错误问题解
3、ES 查询语句:
curl -XGET 'localhost:9200/mitre-attack-2019.08.13?pretty'
其中,mitre-attack-2019.08.13是索引,?pretty表示格式化显示数据
查询索引所有的数据:
curl -XPOST 'localhost:9200/mitre-attack-2019.08.13/_search?pretty' -d '
{
"query": { "match_all": {} },
"size": 1
}'
如果报错:
"error" : "Content-Type header [application/x-www-form-urlencoded] is not supported",
查询语句需要添加,-H "Content-Type: application/json",即
curl -H "Content-Type: application/json" -XPOST 'localhost:9200/mitre-attack-2019.08.13/_search?pretty' -d '
{
"query": { "match_all": {} },
"size": 1
}'
参考:ElasticSearch 索引查询使用指南——详细版
查看索引模板:
curl -XGET 'localhost:9200/_template/logs*?pretty'
该命令用于查看所有以logs开头的索引模板。
删除索引:
curl -XDELETE 'localhost:9200/mitre-*/?pretty'
该命令删除以mitre开头的索引。
shard是索引的分片,replicas是分片的副本。
elasticsearch bool查询
GET logs-endpoint-winevent-sysmon-2019.06.25/_search
{
"query": {
"bool": {
"must": [
{
"match": {
"process_name": {
"query": "reg.exe"
}
}
},
{
"bool": {
"should": [
{
"match": {
"process_command_line": "* save *"
}
},
{
"match": {
"process_command_line": "* export *"
}
}
]
}
},
{
"bool": {
"should": [
{
"match": {
"process_command_line": "*hklm*"
}
},
{
"match": {
"process_command_line": "*hkey_local_machine*"
}
}
]
}
},
{
"bool": {
"should": [
{
"match": {
"process_command_line": "*\\sam *"
}
},
{
"match": {
"process_command_line": "*\\security *"
}
},
{
"match": {
"process_command_line": "*\\system *"
}
}
]
}
}
]
}
}
}
参考:https://www.elastic.co/guide/cn/elasticsearch/guide/current/multi-query-strings.html
组合查询 | 
转播
