https://segmentfault.com/a/1190000002972420 通配符 ? 匹配单个字符 * 匹配0到多个字符 kiba?a, el*search ? * 不能用作第一个字符，例如：?text *text ==================== 正则 es支持部分正则功能,性能较差 name:/joh?n(ath[oa]n)/ ==================== 模糊搜索 quikc~ brwn~ foks~ :在一个单词后面加上启用模糊搜索，可以搜到一些拼写错误的单词 first~ 这种也能匹配到 frist 还可以设置编辑距离（整数），指定需要多少相似度 cromm~1 会匹配到 from 和 chrome 默认2，越大越接近搜索的原始值，设置为1基本能搜到80%拼写错误的单词 ==================== 逻辑操作 AND OR +：搜索结果中必须包含此项 -：不能含有此项 +apache -jakarta test aaa bbb：结果中必须存在apache，不能有jakarta，剩余部分尽量都匹配到 ==================== 分组 (jakarta OR apache) AND jakarta ==================== 转义特殊字符 + - = && || > < ! ( ) { } [ ] ^ " ~ * ? : \ / 以上字符当作值搜索的时候需要用\转义 \(1\+1\)\=2用来查询(1+1)=2 ...

https://stackoverflow.com/questions/33017329/where-is-a-log-file-with-logs-from-a-container get container id docker ps |grep < container name > get container log /var/lib/docker/containers/< container id >/< container id >-json.log

https://youtu.be/HLHA951azDw?t=441

Stickies

ELK 教學 - 定期清除 Elasticsearch 資料 https://blog.johnwu.cc/article/elk-purge-elasticsearch-index.html https://www.elastic.co/guide/en/elasticsearch/client/curator/current/configfile.html https://www.elastic.co/guide/en/elasticsearch/client/curator/current/ex_delete_indices.html https://anjia0532.github.io/2017/04/06/elasticsearch-delete-indices-by-date/ config.yml # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" client: hosts: - xxx.xxx.xxx.xxx port: 9200 url_prefix: use_ssl: False certificate: client_cert: client_key: ssl_no_validate: False http_auth: timeout: 30 #timeout: 60 master_only: False logging: loglevel: INFO logfile: logformat: default blacklist: ['elasticsearch', 'urllib3'] curator_filebeat.yml # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" # # Also remember that all examples have 'disable_action' set to True. If you # want to use this action as a template, be sure to set this to False after # copying it. actions: 1: action: delete_indices description: >- Delete indices older than 30 days (based on index name), for logstash- prefixed indices. Ignore the error if the filter does not result in an actionable list of indices (ignore_empty_list) and exit cleanly. options: ignore_empty_list: True disable_action: False filters: - filtertype: pattern kind: prefix value: filebeat- - filtertype: age source: name direction: older timestring: '%Y.%m.%d' unit: days unit_count: 30 curator_heartbeat.yml ...