之前提過 elasticsearh 是個擁有全 RESTful API 操作的分散式資料庫,於且向大家介紹一下其基本操作的方法。雖然不見得在使用 E.L.K 會用到,畢竟解析由 logstash 完成了,一般存取也可以由 kibana 完成,但如果想針對單筆紀錄作微調或測試你還是會用到以 curl CRUD 操作的。
CREATE
新增一筆紀錄
$ curl -XPOST http://127.0.0.1:9200/logstash-2016.12.23/testPOST -d '{
"userNme" : "weiwei",
"@timestamp" : "2016-12-23T02:50:29.070Z",
"message" : "This is a meaage for testing POST"
}'
回傳結果為
{"_index":"logstash-2016.12.23","_type":"testPOST","_id":"AVkp1r3mBRKdREkz5nY3","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"created":true}
還記得之前說過的 index, type 的概念嗎? 我們現在再來檢視一下剛剛送出的 POST URL :
READ
取得剛剛我們送出的紀錄
$ curl -XGET http://127.0.0.1:9200/logstash-2016.12.23/testPOST/AVkp1r3mBRKdREkz5nY3?pretty
回傳結果為
{
"_index" : "logstash-2016.12.23",
"_type" : "testPOST",
"_id" : "AVkp1r3mBRKdREkz5nY3",
"_version" : 1,
"found" : true,
"_source" : {
"userNme" : "weiwei",
"@timestamp" : "2016-12-23T02:50:29.070Z",
"message" : "This is a meaage for testing POST"
}
}
以上這便是以 "_id" : "AVkp1r3mBRKdREkz5nY3" 取回來的單筆紀錄資訊。若是你想獲得特定 type 下的所有紀錄的話你可以:
$ curl -XGET http://127.0.0.1:9200/logstash-2016.12.23/testPOST/_search?pretty
回傳結果為
{
"took" : 2,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 3,
"max_score" : 1.0,
"hits" : [
{
"_index" : "logstash-2016.12.23",
"_type" : "testPOST",
"_id" : "AVkp1r3mBRKdREkz5nY3",
"_score" : 1.0,
"_source" : {
"userNme" : "weiwei",
"@timestamp" : "2016-12-23T02:50:29.070Z",
"message" : "This is a meaage for testing POST"
}
},
{
"_index" : "logstash-2016.12.23",
"_type" : "testPOST",
"_id" : "AVkqVxt2BRKdREkz5nY4",
"_score" : 1.0,
"_source" : {
"userNme" : "weiwei",
"@timestamp" : "2016-12-23T02:50:29.070Z",
"message" : "This is a meaage for testing POST"
}
},
{
"_index" : "logstash-2016.12.23",
"_type" : "testPOST",
"_id" : "AVkqV37DBRKdREkz5nY5",
"_score" : 1.0,
"_source" : {
"userNme" : "alice",
"@timestamp" : "2016-12-23T03:50:29.070Z",
"message" : "This is a meaage for testing POST"
}
}
]
}
}
貼心小提醒 : 在GET後帶上 ?pretty 參數可以讓你的輸出更人性化哦
UPDATE
$ curl -XPOST http://127.0.0.1:9200/logstash-2016.12.23/testPOST/AVkqVxt2BRKdREkz5nY4/_update -d '{
"doc" : {
"userName" : "red queen"
}
}'
回傳結果為
{"_index":"logstash-2016.12.23","_type":"testPOST","_id":"AVkqVxt2BRKdREkz5nY4","_version":2,"result":"updated","_shards":{"total":2,"successful":2,"failed":0}}
雖然看起來跟新增差不多只是多加一層 /_update ,但要注意的地方有兩點:
我們可以來看一下資料是否真的被修改了:
$ curl -XGET http://127.0.0.1:9200/logstash-2016.12.23/testPOST/AVkqc_eJBRKdREkz5nZA?pretty
{
"_index" : "logstash-2016.12.23",
"_type" : "testPOST",
"_id" : "AVkqVxt2BRKdREkz5nY4",
"_version" : 2,
"found" : true,
"_source" : {
"userName" : "red queen",
"@timestamp" : "2016-12-23T02:50:29.070Z",
"message" : "This is a meaage for testing POST"
}
}
DELETE
其實剛剛介紹的新增讀取修改在我們平常使用 E.L.K 時都不常用到,我們比較常用到的其實是 delete 功能,例如刪掉一整個 index。
$ curl -XDELETE http://127.0.0.1:9200/logstash-2016.12.23
如此一來位於 index 下的所有紀錄都被刪除囉,你也可以透過通用符號來刪除多筆 index 如:
$ curl -XDELETE http://127.0.0.1:9200/logstash-2016.12.*
iThome鐵人賽
看影片追技術