I'm trying to create a simple query to return matching deploymentId from the documents in index logstash.
I'm able to search match query but when adding time range getting following exemption.
Error:
"type" : "parsing_exception",
"reason" : "[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
I want only the last 15 min records matching the deploymentId.
GET /logstash-dev-2021.12.03/_search
{
"query": {
"match": {
"deploymentId" : "64a5d214-368c-4760"
},
"range": {
"time": {
"gte": "now-15m",
"lte": "now"
}
}
}
}
I don't think you can use range and match in the same query,
You could try to use a boolean query.
GET /logstash-dev-2021.12.03/_search
{
"query": {
"bool": {
"filter": [
{
"range": {
"time": {
"gte": "now-15m",
"lte": "now"
}
}
}
],
"must": [
{
"match": {
"deploymentId" : "64a5d214-368c-4760"
}
}
]
}
}
}
Related
I'm new to dsl and this seems simple. The code should count total entries by the hour, within the date range specified. I added a bool such that the results should have a field called 'message' which should contain '[success'
GET sample_index/_search
{
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"message": "[sucess"
}
}
]
},
"range": {
"timestamp": {
"gte": "2021-01-01",
"lte": "2021-01-10"
}
}
},
"aggs": {
"hit_count_per_day": {
"date_histogram": {
"field": "timestamp",
"calendar_interval": "hour"
}
}
}
}
The error returned is
{
"error" : {
"root_cause" : [
{
"type" : "parsing_exception",
"reason" : "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line" : 13,
"col" : 5
}
],
"type" : "parsing_exception",
"reason" : "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line" : 13,
"col" : 5
},
"status" : 400
}
You need to include the range query also in the must clause. Modify your query as shown below
{
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"message": "[sucess"
}
},
{
"range": {
"timestamp": {
"gte": "2021-01-01",
"lte": "2021-01-10"
}
}
}
]
}
},
"aggs": {
"hit_count_per_day": {
"date_histogram": {
"field": "timestamp",
"calendar_interval": "hour"
}
}
}
}
My DSL query is shown below. For some reason when I run it in Kibana CLI, it tells me:
GET elastic-search-app-log*/_search
{
"size": 42,
"query": {
"range": {
"dateRanges": {
"gte": "2021-05-20T10:15:00",
"lte": "2021-05-18T14:58:00"
}
},
"match": {
"level": "Error"
}
}
}
I checked to see if maybe its the alignment of the braces but they look fine. Is there something causing this message?
You need to combine all the queries using bool/must clause
{
"size": 42,
"query": {
"bool": {
"must": [
{
"range": {
"dateRanges": {
"gte": "2021-05-20T10:15:00",
"lte": "2021-05-18T14:58:00"
}
}
},
{
"match": {
"level": "Error"
}
}
]
}
}
}
GET _search
{
"query": {
"bool":{
"filter":{
"and":[
{
"term":{
"Server": "XYZ"
},
"range": {
"DateTime":{
"from": "2018-12-13T00:20:48.782Z",
"to":"2018-12-14T00:20:48.782Z"
}
}
}
]
}}
}
}
Above is my elastic query to fetch all records belongs to XYZ Server and within the time range, I have Server and DateTime columns in my dataset but throws below error:
{ "error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[term] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 9,
"col": 11
}
],
"type": "parsing_exception",
"reason": "[term] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 9,
"col": 11 }, "status": 400 }
What am i missing here!
Your query is malformed use the following query instead:
GET _search
{
"query": {
"bool": {
"filter": [
{
"term": {
"Server": "XYZ"
}
},
{
"range": {
"DateTime":{
"from": "2018-12-13T00:20:48.782Z",
"to": "2018-12-14T00:20:48.782Z"
}
}
}
]
}
}
}
You can't have and in your filter clause. There is no and clause in ES query.
Basically, you need to combine filter on term and range clause. Please read combine filters in ES for more information on this.
As your query is using an invalid clause, ES isn't able to parse your query.
Please use the proper query and you should be able to get the results from ES.
Please try below query, which should work fine and let me know if it doesn't work.
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"term": {
"Server": "XYZ"
}
},
{
"bool": {
"must": [
{
"range": {
"DateTime": {
"from": "2018-12-13T00:20:48.782Z",
"to": "2018-12-14T00:20:48.782Z"
}
}
}
]
}
}
]
}
}
}
}
}
The error message is clearly saying that the query is not correct.
You can check the official docs for range query and for bool query to se that there is no filter inside bool queries and there is not from, to in range queries.
Please check this query.
GET _search
{
"query": {
"bool": {
"must": [
{
"term": {
"Server": "XYZ"
}
},
{
"range": {
"DateTime":{
"gt": "2018-12-13T00:20:48.782Z",
"lte": "2018-12-14T00:20:48.782Z"
}
}
}
]
}
}
}
I would like to get the number of documents that matches a specific string within a time range.
How can I specify a time range from this query?
GET myindex/_count
{
"query": {
"match" : {
"log" : "ERROR"
}
}
}
To get a time range:
{
"query": {
"range": {
"msgSubmissionTime": {
"gte": "now-10m",
"lt": "now"
}
}
}
}
Is there a way to combine both queries?
The guys above me are correct, but they both added redundant [,] for the must which implies a query of more than on match field.
GET _search
{
"query": {
"bool" : {
"must" : {
"match" : { "log": "ERROR" }
},
"filter":
{
"range": {
"msgSubmissionTime": {
"gte": "now-10m",
"lte": "now"
}
}
}
}
}
}
Sure you can.
It can be done in two ways: with filtering and boolean query.
Elastic recommends to use filters to prefilter results - they are faster then queries.
Boolean queries can geather different queries by AND, OR, NOT operators.
In official Elastic docs you can find example that almost fits your question - elasticsearch documentation
So your query will be like:
{
"query": {
"bool": {
"must": [
{
"match": {
"log": "ERROR"
}
}
],
"filter": {
"range": {
"msgSubmissionTime": {
"gte": "now-10m",
"lte": "now"
}
}
}
}
}
}
try this.
{
"query": {
"bool": {
"filter": {
"range": {
"msgSubmissionTime": {
"gte": "now-10m",
"lt": "now"
}
}
},
"must": [
{
"term": {
"log" : "ERROR"
}
}
]
}
}
}
I am trying to filter the results from elastic search based on the dates falling between start date and end date.Elastic search version is 1.7.6.
It is giving completely wrong results.
I am using marvel for querying the index.
The schema is
"starting_on": {
"type": "date",
"format": "dateOptionalTime"
}
My query is below:--
GET XX/XX/_search
{
"_source": [
"arrivals.starting_on",
"arrivals.ending_on"
],
"query": {
"filtered": {
"filter": {
"bool": {
"must": [
{
"range": {
"starting_on": {
"gte" : "2017-10-14",
"format": "dateOptionalTime",
},
"ending_on": {
"lte" : "2017-10-17",
"format": "dateOptionalTime",
}
}
}
]
}
}
}
}
}
Your range query is wrong, you cannot have two fields in it, you need to have two range queries instead, like this:
GET XX/XX/_search
{
"_source": [
"arrivals.starting_on",
"arrivals.ending_on"
],
"query": {
"filtered": {
"filter": {
"bool": {
"must": [
{
"range": {
"arrivals.starting_on": {
"gte": "2017-10-14",
"format": "dateOptionalTime"
}
}
},
{
"range": {
"arrivals.ending_on": {
"lte": "2017-10-17",
"format": "dateOptionalTime"
}
}
}
]
}
}
}
}
}