← 返回首页
🔧

Elasticsearch 入门基础

📂 devops ⏱ 3 min 579 words
Elasticsearch搜索全文检索日志分析

Elasticsearch 入门基础

什么是 Elasticsearch

Elasticsearch 是一个开源的分布式搜索和分析引擎,基于 Apache Lucene 构建。它提供近实时的搜索能力,广泛用于日志分析、全文搜索和数据分析。

安装 Elasticsearch

Ubuntu/Debian

# 导入 GPG 密钥
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

# 添加源
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list

# 安装
sudo apt update
sudo apt install elasticsearch

# 启动服务
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

Docker

# 单节点模式
docker run -d \
  --name elasticsearch \
  -p 9200:9200 \
  -p 9300:9300 \
  -e "discovery.type=single-node" \
  -e "xpack.security.enabled=false" \
  elasticsearch:8.10.0

验证安装

# 测试连接
curl http://localhost:9200

# 查看集群状态
curl http://localhost:9200/_cluster/health?pretty

基本概念

索引 (Index)

# 创建索引
curl -X PUT "localhost:9200/myindex"

# 查看索引
curl "localhost:9200/_cat/indices?v"

# 删除索引
curl -X DELETE "localhost:9200/myindex"

文档 (Document)

# 添加文档
curl -X POST "localhost:9200/myindex/_doc/1" -H 'Content-Type: application/json' -d'
{
  "title": "Elasticsearch 入门",
  "content": "这是一个关于 Elasticsearch 的教程",
  "date": "2023-01-01"
}'

# 获取文档
curl "localhost:9200/myindex/_doc/1"

# 更新文档
curl -X POST "localhost:9200/myindex/_update/1" -H 'Content-Type: application/json' -d'
{
  "doc": {
    "title": "Elasticsearch 入门教程"
  }
}'

# 删除文档
curl -X DELETE "localhost:9200/myindex/_doc/1"

搜索操作

基本搜索

# 搜索所有文档
curl "localhost:9200/myindex/_search?pretty"

# 关键词搜索
curl "localhost:9200/myindex/_search?q=title:Elasticsearch"

# 使用 DSL 查询
curl -X GET "localhost:9200/myindex/_search" -H 'Content-Type: application/json' -d'
{
  "query": {
    "match": {
      "title": "Elasticsearch"
    }
  }
}'

复杂查询

# 布尔查询
curl -X GET "localhost:9200/myindex/_search" -H 'Content-Type: application/json' -d'
{
  "query": {
    "bool": {
      "must": [
        { "match": { "title": "Elasticsearch" } }
      ],
      "filter": [
        { "term": { "status": "published" } }
      ],
      "must_not": [
        { "term": { "status": "draft" } }
      ]
    }
  }
}'

# 范围查询
curl -X GET "localhost:9200/myindex/_search" -H 'Content-Type: application/json' -d'
{
  "query": {
    "range": {
      "date": {
        "gte": "2023-01-01",
        "lte": "2023-12-31"
      }
    }
  }
}'

# 聚合查询
curl -X GET "localhost:9200/myindex/_search" -H 'Content-Type: application/json' -d'
{
  "aggs": {
    "by_date": {
      "date_histogram": {
        "field": "date",
        "calendar_interval": "month"
      }
    }
  }
}'

索引映射

创建映射

curl -X PUT "localhost:9200/myindex" -H 'Content-Type: application/json' -d'
{
  "mappings": {
    "properties": {
      "title": { "type": "text" },
      "content": { "type": "text" },
      "date": { "type": "date" },
      "status": { "type": "keyword" },
      "views": { "type": "integer" }
    }
  }
}'

查看映射

curl "localhost:9200/myindex/_mapping?pretty"

实践案例

日志分析

# 创建日志索引
curl -X PUT "localhost:9200/logs-2023.01.01" -H 'Content-Type: application/json' -d'
{
  "mappings": {
    "properties": {
      "timestamp": { "type": "date" },
      "level": { "type": "keyword" },
      "message": { "type": "text" },
      "service": { "type": "keyword" }
    }
  }
}'

# 添加日志
curl -X POST "localhost:9200/logs-2023.01.01/_doc" -H 'Content-Type: application/json' -d'
{
  "timestamp": "2023-01-01T12:00:00Z",
  "level": "INFO",
  "message": "Application started",
  "service": "web-app"
}'

# 搜索错误日志
curl -X GET "localhost:9200/logs-2023.01.01/_search" -H 'Content-Type: application/json' -d'
{
  "query": {
    "term": { "level": "ERROR" }
  }
}'

全文搜索

# 创建文章索引
curl -X PUT "localhost:9200/articles" -H 'Content-Type: application/json' -d'
{
  "mappings": {
    "properties": {
      "title": { 
        "type": "text",
        "analyzer": "ik_max_word",
        "search_analyzer": "ik_smart"
      },
      "content": { 
        "type": "text",
        "analyzer": "ik_max_word"
      },
      "tags": { "type": "keyword" }
    }
  }
}'

# 搜索文章
curl -X GET "localhost:9200/articles/_search" -H 'Content-Type: application/json' -d'
{
  "query": {
    "multi_match": {
      "query": "Elasticsearch 教程",
      "fields": ["title^2", "content"]
    }
  },
  "highlight": {
    "fields": {
      "title": {},
      "content": {}
    }
  }
}'

集群管理

查看集群状态

# 集群健康
curl "localhost:9200/_cluster/health?pretty"

# 节点信息
curl "localhost:9200/_cat/nodes?v"

# 索引信息
curl "localhost:9200/_cat/indices?v"

# 分片信息
curl "localhost:9200/_cat/shards?v"

索引管理

# 关闭索引
curl -X POST "localhost:9200/myindex/_close"

# 打开索引
curl -X POST "localhost:9200/myindex/_open"

# 强制合并
curl -X POST "localhost:9200/myindex/_forcemerge?max_num_segments=1"

# 刷新索引
curl -X POST "localhost:9200/myindex/_refresh"

配置优化

jvm.options

-Xms4g
-Xmx4g

elasticsearch.yml

cluster.name: my-cluster
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["node-2", "node-3"]
cluster.initial_master_nodes: ["node-1", "node-2", "node-3"]

常见问题

集群状态为红色

# 查看分片分配
curl "localhost:9200/_cat/shards?v"

# 手动分配分片
curl -X POST "localhost:9200/_cluster/reroute" -H 'Content-Type: application/json' -d'
{
  "commands": [
    {
      "allocate_stale_primary": {
        "index": "myindex",
        "shard": 0,
        "node": "node-1",
        "accept_data_loss": true
      }
    }
  ]
}'

内存不足

# 查看内存使用
curl "localhost:9200/_cat/nodes?v&h=name,heap.percent,ram.percent"

# 清理缓存
curl -X POST "localhost:9200/_cache/clear"

最佳实践

总结

Elasticsearch 是一个强大的搜索和分析引擎。掌握基本概念和操作可以帮助你构建高性能的搜索和日志分析系统。