🔧 Elasticsearch 命令速查表 – 𝓟𝓲𝓷𝓴 𝓬𝓸𝓻𝓷𝓮𝓻

本文最后更新于11 天前，其中的信息可能已经过时，如有错误请发送邮件到big_fw@foxmail.com

# ES (ElasticSearch) 命令速查表

> 来源: 尹正杰云原生视频 day01-04

## 一、ES环境部署

### 1. 单点部署

# 下载ES
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.29-amd64.deb

# 安装
dpkg -i elasticsearch-7.17.29-amd64.deb

# 修改配置 /etc/elasticsearch/elasticsearch.yml
network.host: 0.0.0.0
discovery.type: single-node

# 启动服务
systemctl start elasticsearch.service

# 验证
curl 10.0.0.91:9200

### 2. 集群部署

# 修改配置
cluster.name: oldboyedu-cluster
network.host: 0.0.0.0
discovery.seed_hosts: ["10.0.0.91", "10.0.0.92", "10.0.0.93"]
cluster.initial_master_nodes: ["10.0.0.91", "10.0.0.92", "10.0.0.93"]

# 清空数据
rm -rf /var/{log,lib}/elasticsearch/*

# 分发配置
scp /etc/elasticsearch/elasticsearch.yml 10.0.0.92:/etc/elasticsearch/

# 启动(所有节点同时启动)
systemctl enable --now elasticsearch.service

### 3. 端口说明
– 9200: HTTP/HTTPS协议，ES对外服务端口
– 9300: TCP协议，ES集群内部数据传输端口

## 二、ES集群状态查询

# 查看集群节点
curl 10.0.0.91:9200/_cat/nodes?v

# 查看集群健康状态
curl 10.0.0.91:9200/_cat/health?v

# 集群状态颜色含义
# red: 部分主分片无法访问
# yellow: 部分副本分片无法访问
# green: 所有主分片和副本分片正常

## 三、DSL语句操作

### 1. 写入数据

curl --location --request POST 'http://10.0.0.91:9200/_bulk' \
--header 'Content-Type: application/json' \
--data-raw '{ "create" : { "_index" : "oldboyedu", "_id" : "1001" } }
{ "name" : "孙悟空","hobby": ["蟠桃","仙丹"] }'

### 2. 查询数据

# 查看所有数据
curl -s http://10.0.0.91:9200/oldboyedu/_search | jq

# 查看指定文档
curl -s http://10.0.0.91:9200/oldboyedu/_doc/1001 | jq

# 模糊查询
curl -s --location --request GET '10.0.0.91:9200/oldboyedu/_search' \
--header 'Content-Type: application/json' \
--data-raw '{"query": {"match": {"hobby": "蟠桃"}}}'

### 3. 修改数据

curl --location --request POST 'http://10.0.0.91:9200/oldboyedu/_doc/1003' \
--header 'Content-Type: application/json' \
--data-raw '{"hobby": ["念经","拜佛"], "name": "唐僧"}'

### 4. 删除数据

# 删除文档
curl -X DELETE http://10.0.0.91:9200/oldboyedu/_doc/1003

# 删除索引
curl -X DELETE http://10.0.0.91:9200/oldboyedu/

## 四、Kibana部署

# 下载安装
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.17.29-amd64.deb
dpkg -i kibana-7.17.29-amd64.deb

# 修改配置 /etc/kibana/kibana.yml
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://10.0.0.91:9200","http://10.0.0.92:9200"]
i18n.locale: "zh-CN"

# 启动
systemctl enable --now kibana.service

# 访问 http://IP:5601/

## 五、Filebeat部署

# 安装
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.17.29-amd64.deb
dpkg -i filebeat-7.17.29-amd64.deb

# stdin到console配置
cat > /etc/filebeat/config/01-stdin-to-console.yaml <<'EOF'
filebeat.inputs:
- type: stdin
output.console:
  pretty: true
EOF

# 启动
filebeat -e -c /etc/filebeat/config/01-stdin-to-console.yaml

# 采集日志到ES配置
cat > /etc/filebeat/config/nginx-to-es.yaml <<'EOF'
filebeat.inputs:
- type: log
  paths:
    - /var/log/nginx/access.log

output.elasticsearch:
  hosts: ["http://10.0.0.91:9200","http://10.0.0.92:9200"]
  index: "oldboyedu-nginx-%{+yyyy.MM.dd}"

setup.ilm.enabled: false
setup.template.name: "oldboyedu"
setup.template.pattern: "oldboyedu-nginx*"
setup.template.settings:
  index.number_of_shards: 3
  index.number_of_replicas: 0
EOF

## 六、Logstash部署

# 安装
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.17.29-amd64.deb
dpkg -i logstash-7.17.29-amd64.deb

# 基础配置示例
cat > /etc/logstash/conf.d/beats-es.conf <<'EOF'
input {{ 
  beats {{
    port => "6666"
  }} 
}}  

filter {{
  grok {{
     match => {{ "message" => "%{{HTTPD_COMMONLOG}}" }}
  }}
  date {{
    match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
  }}
  useragent {{
     source => "message"
     target => "agent-info"
  }}
  geoip {{
     source => "clientip"
     database => "/path/to/GeoLite2-City.mmdb"
  }}
}}

output {{ 
  elasticsearch {{
      hosts => ["10.0.0.91:9200"]
      index => "oldboyedu-nginx-%{{+YYYY.MM.dd}}"
  }}
}}
EOF

# 启动
logstash -rf /etc/logstash/conf.d/beats-es.conf

## 七、ES启用HTTPS认证

# 生成CA证书
/usr/share/elasticsearch/bin/elasticsearch-certutil ca --out /etc/elasticsearch/elastic-stack-ca.p12 --pass "" --days 36500

# 生成ES证书
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca /etc/elasticsearch/elastic-stack-ca.p12 --out /etc/elasticsearch/elastic-certificates-https.p12 --pass "" --days 3650 --ca-pass ""

# 修改配置 elasticsearch.yml
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates-https.p12

# 重启ES
systemctl restart elasticsearch.service

# 使用https访问
curl https://10.0.0.91:9200 -u elastic:123456 -k

## 八、Filebeat API-Key认证

# 创建api-key (在Kibana DevTools中)
POST /_security/api_key
{{
  "name": "linux100", 
  "role_descriptors": {{
    "filebeat_monitoring": {{ 
      "cluster": ["all"],
      "index": [
        {{
          "names": ["oldboyedu-*"],
          "privileges": ["create_index", "create"]
        }}
      ]
    }}
  }}
}}

# Filebeat配置
output.elasticsearch:
  hosts: ["https://10.0.0.91:9200"]
  api_key: "id:api_key"
  ssl.verification_mode: none

## 九、ES集群优化参数

# elasticsearch.yml 优化配置
# 堆内存设置 (建议不超过32GB)
-Xms16g
-Xmx16g

# 分片数量
index.number_of_shards: 3
index.number_of_replicas: 1

# 刷新间隔
index.refresh_interval: 5s

# 批量写入大小
indices.memory.index_buffer_size: 10%

来源: 尹正杰云原生视频 day01-04

推荐文章