《Elastic Stack 实战手册》——三、产品能力——3.5 进阶篇——3.5.17.Elasticsearch SQL (2) https://developer.aliyun.com/article/1227076
3. 基础查询
下面的基础查询,默认在 Kibana 中操作。
3. 基础查询
下面的基础查询,默认在 Kibana 中操作。
3.1 简单示例
1)SHOW TABLES, 获取集群的所有索引,包含别名信息:
2)SHOW COLUMNS IN test_logs,查看索引 test_logs 的字段信息(语句 DESC test_logs作用相同):
POST _sql?format=txt { "query":"SHOW COLUMNS IN test_logs" } POST _sql?format=txt { "query":"DESC test_logs" }
3)SHOW FUNCTIONS, 查看当前支持的函数:
POST _sql?format=txt { "query":"SHOW FUNCTIONS" } name | type -----------------+--------------- AVG |AGGREGATE COUNT |AGGREGATE FIRST |AGGREGATE FIRST_VALUE |AGGREGATE LAST |AGGREGATE ... |...
4)SELECT FROM,获取索引中的部分数据:
POST _sql?format=txt { "query":""" SELECT clientip, host, response FROM test_logs ORDER BY timestamp DESC LIMIT 3 """ } clientip | host | response ---------------+---------------------------+--------------- 118.151.35.151 |artifacts.elastic.co |200 99.76.103.49 |artifacts.elastic.co |200 41.77.243.255 |elastic-elastic-elastic.org|200
上面通过4条语句,简单介绍了 Elasticsearch SQL 的基本查询,接下来将介绍更多的实用技巧。
3.2 全文搜索
Elasticsearch 的全文检索功能,在 Ealsticsearch SQL 中可以通过两个函数实现: match,
query。
1)WHERE MATCH,实现全文搜索,效果同 mulit_match:
# 查询 url 字段中包含 metricbeat的文档, score()函数返回相关性评分 POST _sql?format=txt { "query":""" SELECT SCORE(), clientip, host, response FROM test_logs WHERE MATCH(url, 'metricbeat') ORDER BY timestamp DESC LIMIT 3 """ } SCORE() | clientip | host | response ---------------+---------------+--------------------+--------------- 2.7142088 |74.184.0.64 |artifacts.elastic.co|200 2.7142088 |232.20.97.5 |artifacts.elastic.co|200 2.7142088 |9.16.178.89 |artifacts.elastic.co|404
2)WHERE QUERY,实现全文搜索,效果同 query_string:
POST _sql?format=txt { "query":""" SELECT SCORE(), clientip, host, response FROM test_logs WHERE QUERY('url:metricbeat') ORDER BY timestamp DESC LIMIT 3 """ } SCORE() | clientip | host | response ---------------+---------------+--------------------+--------------- 2.7142088 |74.184.0.64 |artifacts.elastic.co|200 2.7142088 |232.20.97.5 |artifacts.elastic.co|200 2.7142088 |9.16.178.89 |artifacts.elastic.co|404
3.3 深层分页
实际使用过程中,一般全文搜索后,会得到的大量返回文档,经常需要分页展示。在Elasticsearch DSL 中我们一般会使用 from + size / scroll / search_after 等方式来实现,Elasticsearch SQL 中存在 fetch_size ,指定当前查询返回的文档数量,用于实现分页功能。Elasticsearch SQL 中 fetch_size,可以类比为 Elasticsearch DSL 中的 scroll(游标)。
1)第1次查询,指定 fetch_size = 10,表示获取 test_logs 中的 10 个文档,如果返回值中有 cursor,表示还有更多满足条件的文档:
POST _sql?format=json { "query":""" SELECT clientip, host, response FROM test_logs ORDER BY timestamp DESC """, "fetch_size": 10 } { "columns" : [ { "name" : "clientip", "type" : "ip" }, { "name" : "host", "type" : "text" }, { "name" : "response", "type" : "text" } ], "rows" : [ [ "118.151.35.151", "artifacts.elastic.co", 1270 > 三、产品能力 "200" ] ... ], "cursor" : "g+azAwFaAXN...=" }
2)第2次查询,只需要添加前一次的 cursor:
POST /_sql?format=json { "cursor" : "g+azAwFaAXN...=" } { "rows" : [ [ "41.77.243.255", "elastic-elastic-elastic.org", "200" ], ... ], "cursor" : "g+azAwFaAXN4Rk...=" }
3)最后一次查询,返回结果中将不存在 cursor ,表示已经到了最后一页:
POST /_sql?format=json { "cursor": "g+azAwFaAXN4Rk...=" } { "columns" : [ { "name" : "clientip", "type" : "ip" }, { "name" : "host", "type" : "text" }, { "name" : "response", "type" : "text" } ], "rows" : [ [ "118.151.35.151", "artifacts.elastic.co", "200" ] ] }
需要注意的是:
1、如果查询指定返回结构是 txt / csv 等,将无法获取到 carsor;
2、如果查询语句中包含有 LIMIT,fetch_size 将无法工作,即无法分页。
《Elastic Stack 实战手册》——三、产品能力——3.5 进阶篇——3.5.17.Elasticsearch SQL (4) https://developer.aliyun.com/article/1227074
