Elasticsearch 文档操作管理：从增删改查到批量操作与数据类型

一、文档概览

Elasticsearch 是一个分布式的文档型数据库，数据以文档（Document）的形式存储。每个文档都是一个 JSON 对象，类似于数据库中的一行记录。

文档存储在**索引（Index）**中，索引类似于关系型数据库中的“表”。每个文档都有一个唯一的 _id。

---

二、写入数据到 ES 集群

添加一个文档（自动生成文档 ID）

使用 POST 请求到 /_doc 路径，Elasticsearch 会自动生成一个唯一的 _id。

POST http://192.168.130.61:9200/applog-events/_doc
{"user_id": "USR-7X9K2P","event_type": "page_view","timestamp": "2025-07-29T10:30:45Z","page_url": "/products/electronics"
}

返回示例:

{"_index": "applog-events","_id": "XjxnWpgB4qrEUIiFxw-k", // 自动生成的 ID"_version": 1,"result": "created",
...
}

添加一个文档（指定文档 ID）

使用 PUT 请求到 /_doc/{your_id} 路径，可以指定自定义的文档 ID。如果该 ID 已存在，则会覆盖原有文档。

PUT http://192.168.130.61:9200/applog-events/_doc/EVT-1A2B3C
{"user_id": "USR-M4N5QR","event_type": "purchase","timestamp": "2025-07-29T11:15:22Z","product_id": "PRD-8Y6T4U","amount": 299.99
}

---

三、文档的查看

查看指定文档的信息

使用 GET 请求，指定索引名和文档 ID。

GET http://192.168.130.61:9200/applog-events/_doc/EVT-1A2B3C

查看索引中的文档（简单搜索）

使用 /_search 端点可以检索文档。不带查询条件时，返回前 10 个匹配的文档。

GET http://192.168.130.61:9200/applog-events/_search

提示：可以使用 ?q=* 或 {"query": {"match_all": {}}} 明确表示匹配所有文档。

---

四、文档的修改

文档的全量更新（替换）

使用 PUT 请求到 /_doc/{id} 路径，可以完全替换一个文档。如果文档不存在，则创建新文档。

PUT http://192.168.130.61:9200/applog-events/_doc/EVT-1A2B3C
{"user_id": "USR-M4N5QR","event_type": "purchase_completed","timestamp": "2025-07-29T11:15:22Z","product_id": "PRD-8Y6T4U","amount": 299.99,"status": "confirmed"
}

局部更新文档（仅修改指定字段）

使用 POST 请求到 /_update/{id} 路径，可以只更新文档的部分字段，而无需提供整个文档。

POST http://192.168.130.61:9200/applog-events/_doc/EVT-1A2B3C/_update
{"doc": {"status": "shipped"}
}

说明：_update API 会获取原文档，应用更新，然后重新索引。它比全量 PUT 更高效，尤其对于大型文档。

---

五、文档的删除

删除指定文档

使用 DELETE 请求，指定索引名和文档 ID。

DELETE http://192.168.130.61:9200/applog-events/_doc/EVT-1A2B3C

删除整个索引（及其所有文档）

使用 DELETE 请求直接指向索引名称，将删除整个索引及其包含的所有文档和元数据。

DELETE http://192.168.130.61:9200/applog-events

警告：此操作不可逆！如果只想删除索引内的文档而保留索引结构，请使用 删除查询（Delete By Query） API。

---

六、ES 文档的批量操作

_bulk API 允许在单个请求中执行多个索引、创建、更新或删除操作，极大提升数据导入和处理效率。

重要：_bulk 请求体是 NDJSON（Newline Delimited JSON）格式，每行必须以换行符 \n 结尾（包括最后一行）。

批量创建/索引文档

POST http://192.168.130.61:9200/_bulk
{ "create": { "_index": "webdata-analytics"} }
{"user_id":"USR-7X9K2P","action":"login","timestamp":"2025-07-29T08:15:33Z","device":"mobile"}
{ "create": { "_index": "webdata-analytics"} }
{"user_id":"USR-J8W3LM","action":"search","timestamp":"2025-07-29T08:16:12Z","query":"wireless headphones"}
{ "create": { "_index": "webdata-analytics","_id": "ANL-9Z1X8V"} }
{"user_id":"USR-K2P4QR","action":"add_to_cart","timestamp":"2025-07-29T08:17:45Z","product_sku":"SKU-5A7B9C"}
{ "create": { "_index": "webdata-analytics","_id": "ANL-3M6N2P"} }
{"user_id":"USR-L5Q8ST","action":"checkout","timestamp":"2025-07-29T08:18:20Z","order_value":149.99}

批量查看文档（_mget）

一次请求获取多个文档。

POST http://192.168.130.61:9200/_mget
{"docs": [{"_index": "webdata-analytics","_id": "ANL-9Z1X8V"},{"_index": "webdata-analytics","_id": "ANL-3M6N2P"}]
} 

批量修改文档

POST http://192.168.130.61:9200/_bulk
{ "update" : {"_id" : "ANL-9Z1X8V", "_index" : "webdata-analytics"} }
{ "doc" : {"status" : "processed"} }
{ "update" : {"_id" : "ANL-3M6N2P", "_index" : "webdata-analytics"} }
{ "doc" : {"status" : "completed"} }

批量删除文档

POST http://192.168.130.61:9200/_bulk
{ "delete" : {"_id" : "ANL-9Z1X8V", "_index" : "webdata-analytics"} }
{ "delete" : {"_id" : "ANL-3M6N2P", "_index" : "webdata-analytics"} }

---

七、Elasticsearch 的核心数据类型实战

IP 地例

创建索引并定义 IP 映射

PUT http://192.168.130.61:9200/security-firewall-logs
{"mappings" :{"properties": {"source_ip" : {"type": "ip"},"timestamp": {"type": "date"},"action": {"type": "keyword"}}},"settings": {"number_of_shards": 3,"number_of_replicas": 0}
}

查看索引映射

GET http://192.168.130.61:9200/security-firewall-logs

批量写入测试数据

POST http://192.168.130.61:9200/_bulk
{ "create": { "_index": "security-firewall-logs"} }
{ "source_ip": "192.168.130.61", "timestamp": "2025-07-29T09:00:00Z", "action": "allowed" }          
{ "create": { "_index": "security-firewall-logs"} }
{ "source_ip": "192.168.130.62", "timestamp": "2025-07-29T09:05:30Z", "action": "blocked" }          
{ "create": { "_index": "security-firewall-logs"} }
{ "source_ip": "172.31.10.100", "timestamp": "2025-07-29T09:10:15Z", "action": "allowed" }           
{ "create": { "_index": "security-firewall-logs"} }
{ "source_ip": "10.0.0.200", "timestamp": "2025-07-29T09:15:45Z", "action": "blocked" }              
{ "create": { "_index": "security-firewall-logs"} }
{ "source_ip": "192.168.20.99", "timestamp": "2025-07-29T09:20:20Z", "action": "allowed" }
{ "create": { "_index": "security-firewall-logs"} }
{ "source_ip": "10.0.0.100", "timestamp": "2025-07-29T09:25:10Z", "action": "blocked" }    

查询特定网段的 IP

利用 match 查询 IP 地址或 CIDR 网段。

GET http://192.168.130.61:9200/security-firewall-logs/_search
{"query": {"match" : {"source_ip": "192.168.0.0/16"}}
}

Date 日期类型案例

创建索引并定义 Date 映射

PUT http://192.168.130.61:9200/userindex-date-example
{"mappings": {"properties": {"maintenance_window": {"type":   "date","format": "yyyy-MM-dd HH:mm:ss"},"task_id": {"type": "keyword"},"status": {"type": "keyword"}}}
}

查看索引映射

GET http://192.168.130.61:9200/userindex-date-example

写入测试数据

POST http://192.168.130.61:9200/_bulk
{ "create": { "_index": "userindex-date-example"} }
{ "task_id": "TASK-2025-001", "maintenance_window": "2025-08-15 02:00:00", "status": "planned" }
{ "create": { "_index": "userindex-date-example"} }
{ "task_id": "TASK-2025-002", "maintenance_window": "2025-09-20 03:30:00", "status": "planned" }
{ "create": { "_index": "userindex-date-example"} }
{ "task_id": "TASK-2025-003", "maintenance_window": "2025-07-10 01:45:00", "status": "completed" }

按日期排序查询

GET http://192.168.130.61:9200/userindex-date-example/_search
{"sort": [ { "maintenance_window": { "order": "asc" } }]
}

---

综合案例：电商交易数据

创建索引

PUT http://192.168.130.61:9200/ecommerce-transactions

查看索引信息

GET http://192.168.130.61:9200/ecommerce-transactions

为索引添加详细的映射（Mappings）

PUT http://192.168.130.61:9200/ecommerce-transactions/_mapping
{"properties": {"customer_id": {"type": "keyword"},"transaction_type": {"type": "keyword"},"country": {"type": "keyword"},"city": {"type": "keyword","index": false // 该字段不可被搜索，节省空间},"payment_method": {"type": "keyword"},"client_ip": {"type": "ip"},"transaction_time": {"type":   "date","format": "yyyy-MM-dd HH:mm:ss"},"amount": {"type": "float"}}
}

批量添加测试数据

POST http://192.168.130.61:9200/_bulk
{ "create": { "_index": "ecommerce-transactions"}}
{ "customer_id": "CUST-8K2P9Q", "transaction_type": "purchase", "country": "US", "city": "New York", "payment_method": "credit_card", "client_ip": "192.168.25.201", "transaction_time": "2025-07-28 14:30:25", "amount": 189.50}
{ "create": { "_index": "ecommerce-transactions"}}
{ "customer_id": "CUST-3M5N7R", "transaction_type": "refund", "country": "DE", "city": "Berlin", "payment_method": "paypal", "client_ip": "192.168.15.31", "transaction_time": "2025-07-28 15:45:10", "amount": 75.25, "refund_reason": "product_defective"}

基于 keyword 字段查询

# 查询退款交易
GET http://192.168.130.61:9200/ecommerce-transactions/_search
{"query":{"match":{"transaction_type": "refund"}}
}# 查询特定客户
GET http://192.168.130.61:9200/ecommerce-transactions/_search
{"query":{"match":{"customer_id": "CUST-8K2P9Q"}}
}# 查询特定支付方式
GET http://192.168.130.61:9200/ecommerce-transactions/_search
{"query":{"match":{"payment_method": "credit_card"}}
}

基于 IP 字段查询

# 查询来自特定网段的交易
GET http://192.168.130.61:9200/ecommerce-transactions/_search
{"query": {"match" : {"client_ip": "192.168.15.0/24"}}
}

关于 city 字段的搜索

注意：尝试基于 city 字段进行搜索（如 match: { "city": "New York" }）将无法返回结果，因为该字段在映射中被设置为 "index": false。这意味着它不会被加入倒排索引，因此不能用于搜索，但可以用于聚合、排序或脚本中。