Elasticsearch 笔记

2018-10-28 05:35:12 | 大数据开发Elasticsearch

Index 的删除

1 2	`删除ES库的 index 含有 aa_0419_都会被删除 [root@localhost ~]# curl -XDELETE "http://192.168.101.23:9200/aa_0419_*"`

游标操作，摆脱分页限制

ES 游标操作

[root@localhost temp_pcap]# cat test1.sh
ES_result_file="ES_result_json"
curl -XGET "http://192.168.101.23:9200/aa_0419_dvd_rom_redo_http_n_20180429/_search?pretty&scroll=10m" -d'
{
    "query": {
        "bool": {
            "must": [{
                "wildcard": {
                    "user-agent.keyword": "*"
                }
            }],
            "must_not": [],
            "should": []
        }
    },
    "from": 0,
    "size": 10000,
    "sort": [],
    "aggs": {}
} ' > $ES_result_file

scroll_id=`cat $ES_result_file | grep _scroll_id | awk -F "\"" '{print $4}'`

counter=1
while true
do
    let counter=$counter+1
    filename="${ES_result_file}_${counter}"
    curl -XGET "http://192.168.101.23:9200/_search/scroll?scroll=5m&pretty&scroll_id=$scroll_id" > $filename
    lines=`cat $filename | wc -l`
    if [ $lines -lt 20 ]
    then
        echo $filename "too short"
        rm -rf $filename
        break
    fi
done
[root@localhost temp_pcap]# bash test1.sh
[root@localhost temp_pcap]# ll
total 3.2G
-rw-r--r--. 1 root root  14M May  7 11:50 ES_result_json
-rw-r--r--. 1 root root  14M May  7 11:50 ES_result_json_2
-rw-r--r--. 1 root root  14M May  7 11:50 ES_result_json_3
-rw-r--r--. 1 root root  14M May  7 11:50 ES_result_json_4
-rw-r--r--. 1 root root  14M May  7 11:50 ES_result_json_5
-rw-r--r--. 1 root root  13M May  7 11:50 ES_result_json_6
-rw-r--r--. 1 root root  901 May  7 11:50 test1.sh

Python 打开 ES返回的数据

[root@localhost temp_pcap]# cat ip_port.py
#!/usr/bin/python

import re
import json
import sys

filename = sys.argv[1]
with open(filename, 'r') as f:
    jlist = json.loads(f.read())
    for rec in jlist["hits"]["hits"]:
        source = rec['_source']
        StrInfo=''
        if source.has_key('dstip'):
            StrInfo = StrInfo + "%s " % (source['dstip'])
        if source.has_key('dstport'):
            StrInfo = StrInfo + "%s " % (source['dstport'])
        if source.has_key('host'):
            StrInfo = StrInfo + "%s " % (source['host'])
        print StrInfo

[root@localhost temp_pcap]#



[root@localhost temp_pcap]# ./ip_port.py ES_result_json
104.18.60.3 80  www.hdmoviesshop.com
52.202.59.238   8080    ec2-52-202-59-238.compute-1.amazonaws.com:8080
23.21.64.6  80  ads.admarvel.com
52.205.69.199   80  soma.smaato.net
52.206.192.215  80  app.ufotosoft.com
8.37.237.1  80  8.37.237.1
8.37.236.133    80  res.apk.vidmate.net
52.205.238.171  80  net.rayjump.com
152.163.13.4    80  cas.pxl.ace.advertising.com
52.205.238.171  80  net.rayjump.com
52.207.92.202   80  track1.aniview.com
168.235.205.6   80  uc.ucweb.com
8.37.236.133    80  www.vidmate.mobi
52.207.64.240   80  api.mobpalm.com
52.207.38.20    80  api.salmonads.com
52.205.8.145    80  soma.smaato.net
52.206.192.215  80  app.ufotosoft.com
52.207.64.240   80  api.mobpalm.com
52.207.162.213  80  api.mobpalm.com
52.205.69.199   80  soma.smaato.net
74.6.34.27  80  pr-bh.ybp.yahoo.com
8.37.236.133    80  www.vidmate.mobi
52.201.100.27   80  api.mobpowertech.com
52.207.64.240   80  api.mobpalm.com
52.207.49.255   80  cm.ushareit.com
52.207.49.255   80  cm.ushareit.com
52.201.112.202  80  soma.smaato.net
52.205.15.152   80  smartmax.loganmedia.mobi
52.202.124.5    80  ads.aerserv.com
23.21.158.132   80  ads.admarvel.com
8.37.236.133    80  res.apk.vidmate.net
104.18.60.3 80  www.hdmoviesshop.com
52.203.157.83   80  wv.inner-active.mobi
52.204.221.242  80  ets-us-east-1.smaato.net
52.203.114.86   80  ad-tag.inner-active.mobi
52.202.9.65 80  tracker.mtrtb.com
23.21.103.46    80  cfg.ws.pho.to
168.235.207.3   80  168.235.207.3
52.205.165.132  80  m2m1.inner-active.mobi