0
我在指數以下數據:ElasticSearch:在「IN」操作嵌套查詢
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 4,
"max_score": 1,
"hits": [
{
"_index": "para-slapdmine-logs-2016.11.11",
"_score": 1,
"_source": {
"message": "<167>Nov 11 16:22:05 red5admin slapd[45740]:
conn=1046 op=0 RESULT tag=97 err=49 text=",
"@timestamp": "2016-11-11T10:52:42.921Z",
"timestamp": "Nov 11 16:22:05",
"connection": 1046,
"operation_number": 0,
"tag": 97,
"error_code": 49
}
},
{
"_index": "para-slapdmine-logs-2016.11.11",
"_score": 1,
"_source": {
"message": "<167>Nov 11 16:22:05 red5admin slapd[45740]:
conn=1046 fd=13 ACCEPT from IP=10.1.2.2:37713 (IP=0.0.0.0:389)",
"@version": "1",
"@timestamp": "2016-11-11T10:52:42.920Z",
"type": "slapdmine",
"timestamp": "Nov 11 16:22:05",
"connection": 1046,
"fd_number": "13",
"src_ip": "10.1.2.2"
}
},
{
"_index": "para-slapdmine-logs-2016.11.11",
"_score": 1,
"_source": {
"message": "<167>Nov 11 16:22:05 red5admin slapd[45740]:
conn=1046 op=0 BIND dn=\"uid=dharmikp,ou=python,dc=red5admin\"
method=128",
"@version": "1",
"@timestamp": "2016-11-11T10:52:42.920Z",
"timestamp": "Nov 11 16:22:05",
"connection": 1046,
"operation_number": 0,
"operation_name": "BIND",
"bind_dn": "uid=dharmikp,ou=python,dc=red5admin",
"bind_method": "128"
}
},
{
"_index": "para-slapdmine-logs-2016.11.11",
"_score": 1,
"_source": {
"message": "<167>Nov 11 16:22:05 red5admin slapd[45740]:
conn=1046 op=1 UNBIND",
"@timestamp": "2016-11-11T10:52:42.953Z",
"type": "slapdmine",
"timestamp": "Nov 11 16:22:05",
"connection": 1046,
"operation_number": 1,
"operation_name": "UNBIND"
}
}
]
}
}
我想找到的src_ip的列表,其中error_code是49.這兩個屬性的單一文件,但在連接不存在該文件中的id相同。
如果我不得不寫SQL查詢,我可能已經做了以下方式
select src_ip from ldap where connection in (select connection
from ldap where error_code = 49)
任何想法,我怎麼能在ElasticSearch實現這一目標?
使用ElasticSearch(2.3.3)。我的指數
映射
"para-slapdmine-logs-2016.11.11" : {
"mappings" : {
"slapdmine" : {
"properties" : {
"@timestamp" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis"
},
"@version" : {
"type" : "string"
},
"bind_dn" : {
"type" : "string"
},
"bind_method" : {
"type" : "string"
},
"connection" : {
"type" : "long"
},
"dst_ip" : {
"type" : "string"
},
"dst_port" : {
"type" : "string"
},
"error_code" : {
"type" : "long"
},
"fd_number" : {
"type" : "string"
},
"host" : {
"type" : "string"
},
"logsource" : {
"type" : "string"
},
"message" : {
"type" : "string"
},
"operation_name" : {
"type" : "string"
},
"operation_number" : {
"type" : "long"
},
"pid" : {
"type" : "string"
},
"program" : {
"type" : "string"
},
"src_ip" : {
"type" : "string"
},
"src_port" : {
"type" : "string"
},
"tag" : {
"type" : "long"
},
"timestamp" : {
"type" : "string"
},
"type" : {
"type" : "string"
}
}
}
}
}
可能的重複[什麼是SQL子查詢的ElasticSearch等效項?](http://stackoverflow.com/questions/28734436/what-is-the-elasticsearch-equivalent-for-an-sql-subquery) – gerosalesc
我可以看到你的映射嗎? – gerosalesc
@gerosalesc我添加了索引的映射。 –