I have created an Index with 10000+ documents. Here is the sample from that:
{
"_index": "index_1",
"_type": "_doc",
"_id": "48a454f9-71d2-41a0-9e62-08c149366f05",
"_score": 13.977877,
"_source": {
"customer_id":10,
"customer_name": Mike,
"customer_phone": 1111111111,
"customer_address": "XYZ"
}
},
{
"_index": "index_1",
"_type": "_doc",
"_id": "48a454f9-71d2-41a0-9e62-08c149366f71",
"_score": 12.977861,
"_source": {
"customer_id":20,
"customer_name": Angie,
"customer_phone": 2222222222,
"customer_address": "ABC"
}
},
{
"_index": "index_1",
"_type": "_doc",
"_id": "48a454f9-71d2-41a0-9e62-08c149366f62",
"_score": 10.978777,
"_source": {
"customer_id":30,
"customer_name": John,
"customer_phone": 3333333333,
"customer_address": "PQR"
}
},
{
"_index": "index_1",
"_type": "_doc",
"_id": "48a454f9-71d2-41a0-9e62-08c149366f54",
"_score": 11.817877,
"_source": {
"customer_id":40,
"customer_name": Andy,
"customer_phone": 4444444444,
"customer_address": "MNO"
}
},
{
"_index": "index_1",
"_type": "_doc",
"_id": "48a454f9-71d2-41a0-9e62-08c149366f32",
"_score": 14.457877,
"_source": {
"customer_id": 50,
"customer_name": Nick,
"customer_phone": 5555555555,
"customer_address": "CDE"
}
},
{
"_index": "index_1",
"_type": "_doc",
"_id": "48a454f9-71d2-41a0-9e62-08c149366f21",
"_score": 16.487877,
"_source": {
"customer_id":60,
"customer_name": Atlas,
"customer_phone": 6666666666,
"customer_address": "DFE"
}
}
I want to pass multiple queries at once as list in json body and get the result also in list format:
For example: -> I want to pass below 3 queries in the search condition at the same time:
1) customer_id = 10, customer_name = Mike, customer_phone = 1111111111
2) customer_id = 40, customer_name = Andy, customer_phone = 4444444444
3) customer_id = 50, customer_name = Nick, customer_phone = 5555555555
Although, I can combine these 3 queries using 'AND' and 'OR' like below:
{
"query": {
"query_string": {
"query": "(customer_id: 10 AND customer_name: Mike AND customer_phone: 1111111111) OR (customer_id: 40 AND customer_name: Andy AND customer_phone: 4444444444) OR (customer_id: 50 AND customer_name: Nick AND customer_phone: 5555555555)"
}
}
}
Other than combining the queries as above, is there any other better way to achieve the same (like passing the queries as list).
You can combinate should and must query.
{
"query": {
"bool": {
"should": [
{
"bool": {
"must": [
{
"term": {
"customer_id": {
"value": 10
}
}
},
{
"match": {
"custumer_name": "Mike"
}
},
{
"term": {
"customer_phone": {
"value": 1111111111
}
}
}
]
}
},
{
"bool": {
"must": [
{
"term": {
"customer_id": {
"value": 50
}
}
},
{
"match": {
"custumer_name": "Nick"
}
},
{
"term": {
"customer_phone": {
"value": 5555555555
}
}
}
]
}
},
{
"bool": {
"must": [
{
"term": {
"customer_id": {
"value": 40
}
}
},
{
"match": {
"custumer_name": "Andy"
}
},
{
"term": {
"customer_phone": {
"value": 4444444444
}
}
}
]
}
}
]
}
}
}
Related
My index data is
{
"first_name":"Kevin",
"last_name":"John",
"job": "IT"
}
{
"first_name":"John",
"last_name":"Thimothy",
"job": "Accountant"
}
{
"first_name":"Eric",
"last_name":"Villa",
"job": "Driver"
}
{
"first_name":"John",
"last_name":"Villa",
"job": "Student"
}
I am not sure if anyone could help me to build a query to get data that have first_name or last_name as John and have a job as IT or Student.
You need to use a combination of the bool/must/should clause
Search Query:
{
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"match": {
"first_name": "John"
}
},
{
"match": {
"last_name": "John"
}
}
]
}
},
{
"bool": {
"should": [
{
"match": {
"job": "IT"
}
},
{
"match": {
"job": "student"
}
}
]
}
}
]
}
}
}
Search Result will be
"hits": [
{
"_index": "66982646",
"_type": "_doc",
"_id": "1",
"_score": 2.4079456,
"_source": {
"first_name": "Kevin",
"last_name": "John",
"job": "IT"
}
},
{
"_index": "66982646",
"_type": "_doc",
"_id": "4",
"_score": 1.89712,
"_source": {
"first_name": "John",
"last_name": "Villa",
"job": "Student"
}
}
]
I want to apply order for sorting in Elasticsearch. Unfortunately, common standard sort can't sort in next way:
special chars
numbers
alphabetic(aA-zZ)
My mapping:
PUT /sorting_by_name
{
"mappings": {
"sorting_by_name": {
"properties": {
"name": {
"type": "keyword"
}
}
}
}
}
I am querying Elasticsearch as follows:
GET /sorting_by_name/_search
{
"query": {
"match_all": {}
},
"sort": [
{ "name": { "order": "asc" } }
]
}
And I would want to get the following result:
[
{
"_id": "AXe1Y7vv7OkJxgqzrpj9",
"_source": {
"name": "{{{{ A {{{ sdasd"
}
},
{
"_id": "AXe1Y7vv7OkJxgqzrpj9",
"_source": {
"name": "{{{{ A {{{ sdasd"
}
},
{
"_id": "AXe1QBZz7OkJxgqzrpj2",
"_source": {
"name": "11asdasd"
}
}
{
"_id": "AXe1Y6id7OkJxgqzrpj8",
"_source": {
"name": "A {{{ sdasd"
}
},
{
"_id": "AXe1QFwn7OkJxgqzrpj4",
"_source": {
"name": "asdasd"
}
},
{
"_id": "AXe1ZOGe7OkJxgqzrpkC",
"_source": {
"name": "Ooopopl"
}
},
{
"_id": "AXe1ZM4V7OkJxgqzrpkB",
"_source": {
"name": "ooopopl"
}
}
]
But now I get the following result:
[
{
"_id": "AXe1Y7vv7OkJxgqzrpj9",
"_source": {
"name": "{{{{ A {{{ sdasd"
}
},
{
"_id": "AXe1QBZz7OkJxgqzrpj2",
"_source": {
"name": "11asdasd"
}
},
{
"_id": "AXe1Y6id7OkJxgqzrpj8",
"_source": {
"name": "A {{{ sdasd"
}
},
{
"_id": "AXe1ZOGe7OkJxgqzrpkC",
"_source": {
"name": "Ooopopl"
}
},
{
"_id": "AXe1QFwn7OkJxgqzrpj4",
"_source": {
"name": "asdasd"
}
},
{
"_id": "AXe1ZM4V7OkJxgqzrpkB",
"_source": {
"name": "ooopopl"
}
},
{
"_id": "AXe1Y7vv7OkJxgqzrpj9",
"_source": {
"name": "{{{{ A {{{ sdasd"
}
}
]
How would I get the expected result?
Here, I have a indexed document like:
doc = {
"id": 1,
"content": [
{
"txt": I,
"time": 0,
},
{
"txt": have,
"time": 1,
},
{
"txt": a book,
"time": 2,
},
{
"txt": do not match this block,
"time": 3,
},
]
}
And I want to match "I have a book", and return the matched time: 0,1,2. Is there anyone who knows how to build the index and the query for this situation?
I think the "content.txt" should be flattened but "content.time" should be nested?
want to match "I have a book", and return the matched time: 0,1,2.
Adding a working example with index mapping,search query, and search result
Index Mapping:
{
"mappings": {
"properties": {
"content": {
"type": "nested"
}
}
}
}
Search Query:
{
"query": {
"nested": {
"path": "content",
"query": {
"bool": {
"must": [
{
"match": {
"content.txt": "I have a book"
}
}
]
}
},
"inner_hits": {}
}
}
}
Search Result:
"inner_hits": {
"content": {
"hits": {
"total": {
"value": 3,
"relation": "eq"
},
"max_score": 2.5226097,
"hits": [
{
"_index": "64752029",
"_type": "_doc",
"_id": "1",
"_nested": {
"field": "content",
"offset": 2
},
"_score": 2.5226097,
"_source": {
"txt": "a book",
"time": 2
}
},
{
"_index": "64752029",
"_type": "_doc",
"_id": "1",
"_nested": {
"field": "content",
"offset": 0
},
"_score": 1.5580825,
"_source": {
"txt": "I",
"time": 0
}
},
{
"_index": "64752029",
"_type": "_doc",
"_id": "1",
"_nested": {
"field": "content",
"offset": 1
},
"_score": 1.5580825,
"_source": {
"txt": "have",
"time": 1
}
}
]
}
}
}
}
I want to query IP range from:172.16.0.0 to 172.31.0.0 in ELK
I try two query methods, but fail.
{
"query": {
"bool": {
"should": [
{
"regexp": {
"DstIP": "172.(3[0-1]|1[6-9]|2[0-9]).*"
}
}
],
"minimum_should_match": 1
}
}
}
{
"query": {
"range": {
"DstIP": {
"gte": "172.16.0.0",
"lte": "172.31.0.0"
}
}
}
}
How can query IP range in ELK?
For range queries to work correctly on IP values it is necessary to define the field data type as ip.
Below is the working example with mapping, sample docs, and search query.
Mapping:
{
"mappings": {
"properties": {
"dest": {
"type": "ip"
}
}
}
}
Index data:
Then I've taken a couple of sample documents like this:
{ "dest":"172.16.0.0"}
{ "dest":"172.31.0.0"}
{ "dest":"172.21.0.0"}
{ "dest":"172.1.0.0" }
{ "dest":"172.12.0.0"}
Search Query :
{
"query": {
"range": {
"dest": {
"gte": "172.16.0.0",
"lte": "172.31.0.0"
}
}
}
}
Search Result :
"hits": [
{
"_index": "foo4",
"_type": "_doc",
"_id": "1",
"_score": 1.0,
"_source": {
"dest": "172.16.0.0"
}
},
{
"_index": "foo4",
"_type": "_doc",
"_id": "2",
"_score": 1.0,
"_source": {
"dest": "172.31.0.0"
}
},
{
"_index": "foo4",
"_type": "_doc",
"_id": "3",
"_score": 1.0,
"_source": {
"dest": "172.21.0.0"
}
}
]
I have the following search query:
{
"query": {
"match": {
"name": "testlib"
}
}
}
When I do this query I get the three results below. What I want to do now is only return one result: the newest #timestamp that doesn't contain version_pre. So in this case, only return AV6qvDXDyHw9vNh6Wlpl.
[
{
"_index": "testsoftware",
"_type": "software",
"_id": "AV6qvDXDyHw9vNh6Wlpl",
"_score": 0.2876821,
"_source": {
"#timestamp": "2017-09-21T11:02:15-04:00",
"name": "testlib",
"version_major": 1,
"version_minor": 0,
"version_patch": 1
}
},
{
"_index": "testsoftware",
"_type": "software",
"_id": "AV6qvDF5MtcMTuGknsVs",
"_score": 0.18232156,
"_source": {
"#timestamp": "2017-09-20T17:21:35-04:00",
"name": "testlib",
"version_major": 1,
"version_minor": 0,
"version_patch": 0
}
},
{
"_index": "testsoftware",
"_type": "software",
"_id": "AV6qvDnVyHw9vNh6Wlpn",
"_score": 0.18232156,
"_source": {
"#timestamp": "2017-09-22T13:56:55-04:00",
"name": "testlib",
"version_major": 1,
"version_minor": 0,
"version_patch": 2,
"version_pre": 0
}
}
]
Use sort (https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-sort.html) and https://www.elastic.co/guide/en/elasticsearch/reference/2.3/query-dsl-exists-query.html:
{
"size" : 1,
"sort" : [{ "#timestamp" : {"order" : "asc"}}],
"query" : {
"bool": {
"must_not": {
"exists": {
"field": "version_pre"
}
}
}
Or even, via query string:
/_search?sort=#timestamp:desc&size=1&q=_missing_:version_pre