ES在多字段中查询包含的字符串

#获取末尾字符

TIM=`tail -c 18 a1.json | egrep -o "[0-9]+"`

 

#查询多字段中包含的关键字，单引号中要获取变量值，需要用单引号包住$变量

curl -X GET 'http://127.0.0.1:9200/dra-nta-dt_packet_http_session_transform*/_search' -H 'Content-Type: application/json' -d '{ "query": { "multi_match": {
"query": "password", "type": "most_fields", "fields": ["HttpBody", "UriReq", "HttpBodyReq"] } },
"size": 1, "sort": { "@timestamp": "asc" } , "search_after": ['${TIM}']}'

 

 

完整shell脚本

if [ $# != 3 ];then 
        echo "请输入参数1：文件名；参数2：关键字；参数3：循环次数。"
        echo "例如./queryes.sh a1.json password 10"
        exit
fi

TIM=`tail -c 18 $1 | egrep -o "[0-9]+"`
let num=$3+3
for ((i=4; i<=num; i++))
do
    expr $TIM "+" 1 &> /dev/null
    if [ $? -eq 0 ];then
        echo "after $TIM"
    else
        echo "$TIM is not number "
        break
    fi    
    curl -X GET 'http://127.0.0.1:9200/dra-nta-dt_packet_http_session_transform*/_search' -H 'Content-Type: application/json' -d '{    "query": {         "multi_match": {
             "query":       "'$2'",             "type":        "most_fields",             "fields":      ["HttpBody", "UriReq", "HttpBodyReq"]         }     },
  "size": 1,     "sort": {  "@timestamp": "asc"  } , "search_after": ['${TIM}']}' > a$i.json
    cp -f a$i.json tmp.json
    TIM=`tail -c 18 tmp.json | egrep -o "[0-9]+"`
done

　　

执行脚本

  setsid bash queryes.sh b180.json password 20 &