python
from elasticsearch import Elasticsearch
from datetime import datetime, timedelta
# 1.connect to Elasticsearch------------------------------------------------------------------------------------------------------
# prod连接到 Elasticsearch
es_of_prod = Elasticsearch('http://host:port', http_auth=("username", "pwd"), verify_certs=False, timeout=60)
# 2.构建KQL-----------------------------------------------------------------------------------------------------------------------
# 查询index
index_of_query = "index-name"
# 获取当前时间并减去1小时
current_time = datetime.now()
previous_hour_time = current_time - timedelta(hours=1)
# 格式化为 "年-月-日 时"
previous_hour_time_formatted = previous_hour_time.strftime("%Y-%m-%d %H")
# 格式化为 "年-月-日 时:分"
previous_hourAndMin_time_formatted = previous_hour_time.strftime("%Y-%m-%d %H:%M")
# 构建 KQL 查询字符串
kql_query_xxx_prod = 'context:"*{query String}*" AND ext.time:"*'+previous_hour_time_formatted+'*"'
# 构建 KQL 查询字符串
kql_query_xxx_prod_hourAndMin = 'context:"*{query String}*" AND ext.time:"*'+previous_hourAndMin_time_formatted+'*"'
print(f"query condition: {kql_query_xxx_prod_hourAndMin}")
# 3.构建KQL JSON------------------------------------------------------------------------------------------------------
# 当天 0 点
zero_today = current_time.replace(hour=0, minute=0, second=0, microsecond=0)
# 当天 24 点(直接取次日 0 点)
midnight_24 = zero_today + timedelta(days=1)
#环境情况:sit env:es version7.5.1,prd env:es version7.15.1,下面query_json在sit环境可以使用,在prd环境不能使用
kql_query_xxx_json = {
"query": {
"bool": {
"must": [
{
"query_string": {
"query":kql_query_xxx_prod_hourAndMin,
"default_field": "*" # 搜索所有字段
}
},
{
"range": {
"@timestamp": {
"gte": zero_today, # 当天00:00:00
"lt": midnight_24, # 第二天00:00:00
"time_zone": "+08:00" # 指定时区(如北京时间)
}
}
}
]
}
}
}
# 4.es执行查询获得hits count大小---------------------------------------------------------------------------------------------------
previous_hour_xxx_count = es_of_prod.count(
index = index_of_query,
body = kql_query_xxx_json
)
print(f"previous_hour_xxx_count: {previous_hour_xxx_count['count']}")
# 5.执行查询,获取某个字段的value的list----------------------------------------------------------------------------------------------
query_body = {
"query_string": {
"query": kql_query_xxx_prod_hourAndMin,
"default_field": "*",
"analyze_wildcard": True,
"lenient": True
}
}
#size=10000,如果不设置size,默认只返回前10条数据
try:
response = es_of_prod.search(
index = index_of_query,
query = query_body,
size=10000
)
total = response['hits']['total']['value']
print(f"获取到total:{total}")
traceids = [hit['_source']['ext.traceId'] for hit in response['hits']['hits']]
print(f"获取到{len(traceids)}条traceid记录")
#可以遍历traceids,做后续的业务处理
except Exception as e:
print(f"查询异常: {str(e)}")
traceids = []