当前位置：首页 > news >正文

python查询elasticsearch 获取指定字段的值的list

news 来源：原创 2025/5/22 6:38:09

from elasticsearch import Elasticsearch
from datetime import datetime, timedelta# 1.connect to Elasticsearch------------------------------------------------------------------------------------------------------
# prod连接到 Elasticsearch
es_of_prod = Elasticsearch('http://host:port', http_auth=("username", "pwd"), verify_certs=False, timeout=60)# 2.构建KQL-----------------------------------------------------------------------------------------------------------------------
# 查询index
index_of_query = "index-name"
# 获取当前时间并减去1小时
current_time = datetime.now()
previous_hour_time = current_time - timedelta(hours=1)
# 格式化为 "年-月-日 时"
previous_hour_time_formatted = previous_hour_time.strftime("%Y-%m-%d %H")
# 格式化为 "年-月-日 时:分"
previous_hourAndMin_time_formatted = previous_hour_time.strftime("%Y-%m-%d %H:%M")
# 构建 KQL 查询字符串
kql_query_xxx_prod = 'context:"*{query String}*" AND ext.time:"*'+previous_hour_time_formatted+'*"'
# 构建 KQL 查询字符串
kql_query_xxx_prod_hourAndMin = 'context:"*{query String}*" AND ext.time:"*'+previous_hourAndMin_time_formatted+'*"'
print(f"query condition: {kql_query_xxx_prod_hourAndMin}")# 3.构建KQL JSON------------------------------------------------------------------------------------------------------
# 当天 0 点
zero_today = current_time.replace(hour=0, minute=0, second=0, microsecond=0)
# 当天 24 点（直接取次日 0 点）
midnight_24 = zero_today + timedelta(days=1)
#环境情况：sit env:es version7.5.1，prd env:es version7.15.1,下面query_json在sit环境可以使用，在prd环境不能使用
kql_query_xxx_json = {"query": {"bool": {"must": [{"query_string": {"query":kql_query_xxx_prod_hourAndMin,"default_field": "*"  # 搜索所有字段}},{"range": {"@timestamp": {"gte": zero_today,  # 当天00:00:00"lt": midnight_24,   # 第二天00:00:00"time_zone": "+08:00"  # 指定时区（如北京时间）}}}]}}
}
# 4.es执行查询获得hits count大小---------------------------------------------------------------------------------------------------
previous_hour_xxx_count = es_of_prod.count(index = index_of_query,body = kql_query_xxx_json
)
print(f"previous_hour_xxx_count: {previous_hour_xxx_count['count']}")# 5.执行查询，获取某个字段的value的list----------------------------------------------------------------------------------------------
query_body = {"query_string": {"query": kql_query_xxx_prod_hourAndMin,"default_field": "*","analyze_wildcard": True,"lenient": True}
}
#size=10000，如果不设置size，默认只返回前10条数据
try:response = es_of_prod.search(index = index_of_query,query = query_body,size=10000)total = response['hits']['total']['value']print(f"获取到total:{total}")traceids = [hit['_source']['ext.traceId'] for hit in response['hits']['hits']]print(f"获取到{len(traceids)}条traceid记录")#可以遍历traceids，做后续的业务处理
except Exception as e:print(f"查询异常: {str(e)}")traceids = []