#获取末尾字符
TIM=`tail -c 18 a1.json | egrep -o "[0-9]+"`
#查询多字段中包含的关键字,单引号中要获取变量值,需要用单引号包住$变量
curl -X GET 'http://127.0.0.1:9200/dra-nta-dt_packet_http_session_transform*/_search' -H 'Content-Type: application/json' -d '{ "query": { "multi_match": {
"query": "password", "type": "most_fields", "fields": ["HttpBody", "UriReq", "HttpBodyReq"] } },
"size": 1, "sort": { "@timestamp": "asc" } , "search_after": ['${TIM}']}'
完整shell脚本
if [ $# != 3 ];then
echo "请输入参数1:文件名;参数2:关键字;参数3:循环次数。"
echo "例如./queryes.sh a1.json password 10"
exit
fi
TIM=`tail -c 18 $1 | egrep -o "[0-9]+"`
let num=$3+3
for ((i=4; i<=num; i++))
do
expr $TIM "+" 1 &> /dev/null
if [ $? -eq 0 ];then
echo "after $TIM"
else
echo "$TIM is not number "
break
fi
curl -X GET 'http://127.0.0.1:9200/dra-nta-dt_packet_http_session_transform*/_search' -H 'Content-Type: application/json' -d '{ "query": { "multi_match": {
"query": "'$2'", "type": "most_fields", "fields": ["HttpBody", "UriReq", "HttpBodyReq"] } },
"size": 1, "sort": { "@timestamp": "asc" } , "search_after": ['${TIM}']}' > a$i.json
cp -f a$i.json tmp.json
TIM=`tail -c 18 tmp.json | egrep -o "[0-9]+"`
done
执行脚本
setsid bash queryes.sh b180.json password 20 &