Elasticsearch filter results by field - elasticsearch

I'm new to dsl and this seems simple. The code should count total entries by the hour, within the date range specified. I added a bool such that the results should have a field called 'message' which should contain '[success'
GET sample_index/_search
{
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"message": "[sucess"
}
}
]
},
"range": {
"timestamp": {
"gte": "2021-01-01",
"lte": "2021-01-10"
}
}
},
"aggs": {
"hit_count_per_day": {
"date_histogram": {
"field": "timestamp",
"calendar_interval": "hour"
}
}
}
}
The error returned is
{
"error" : {
"root_cause" : [
{
"type" : "parsing_exception",
"reason" : "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line" : 13,
"col" : 5
}
],
"type" : "parsing_exception",
"reason" : "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line" : 13,
"col" : 5
},
"status" : 400
}


You need to include the range query also in the must clause. Modify your query as shown below
{
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"message": "[sucess"
}
},
{
"range": {
"timestamp": {
"gte": "2021-01-01",
"lte": "2021-01-10"
}
}
}
]
}
},
"aggs": {
"hit_count_per_day": {
"date_histogram": {
"field": "timestamp",
"calendar_interval": "hour"
}
}
}
}

Related

malformed query, expected "END_OBJECT" but found "FIELD_NAME"

Hello while running a term query in Kibana console, I am getting a parsing_exception
Query
GET /products/_search
{
"query": {
"terms": {
"tags.keyword": [ "Soup", "Cake" ]
},
"range": {
"in_stock": {
"gte": 10,
"lte": 20
}
}
}
}
Response/Exception
{
"error" : {
"root_cause" : [
{
"type" : "parsing_exception",
"reason" : "[terms] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line" : 6,
"col" : 5
}
],
"type" : "parsing_exception",
"reason" : "[terms] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line" : 6,
"col" : 5
},
"status" : 400
}
Can anyone tell me why I got this exception and how to solve it?

You need to use boolean query to combine terms and range query. Modify your search query as shown below -
{
"query": {
"bool": {
"must": [
{
"terms": {
"tags.keyword": [
"Soup",
"Cake"
]
}
},
{
"range": {
"in_stock": {
"gte": 10,
"lte": 20
}
}
}
]
}
}
}

"[geo_distance] malformed query, expected [END_OBJECT] but found [FIELD_NAME]"

I am tried to create search query with a values in 15m radios and between 3 weeks. I tried to execute this query:
"query": {
"bool": {
"must": {
"match_all": {}
}
, "filter": [
{
"geo_distance": {
"distance": "1000km",
"geoLocation": {
"lat": 31.966467334184614,
"lon": 35.83242623178664
}
}
,
"range": {
"map_date": {
"gte": "now-3w/w",
"lte": "now/w"
}
}
}
]
}}
My date filed is: map_date and my geo point filed is geoLocation
I get this response :
{
"error" : {
"root_cause" : [
{
"type" : "parsing_exception",
"reason" : "[geo_distance] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line" : 18,
"col" : 8
}
],
"type" : "x_content_parse_exception",
"reason" : "[18:8] [bool] failed to parse field [filter]",
"caused_by" : {
"type" : "parsing_exception",
"reason" : "[geo_distance] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line" : 18,
"col" : 8
}
},
"status" : 400
}
Help me please to figure out what I am doing wrong

Your filter part was mal formated, try :
{
"query": {
"bool": {
"must": {
"match_all": {}
},
"filter": [
{
"geo_distance": {
"distance": "1000km",
"geoLocation": {
"lat": 31.966467334184614,
"lon": 35.83242623178664
}
}
},
{
"range": {
"map_date": {
"gte": "now-3w/w",
"lte": "now/w"
}
}
}
]
}
}
}
Il your filter array you list a list of {}, take a look at:
https://www.elastic.co/guide/en/elasticsearch/reference/current/query-filter-context.html

elasticsearch return hits found in aggregation

I am trying to get rows from my database that have a unique 'sku' field.
I have a working query which counts this number correctly, my query:
GET _search
{
"size": 0,
"aggs": {
"unique_products":{
"cardinality":{
"field":"sku.keyword"
}
}
},
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "(merch1: 'Dog') AND ((store_name: 'walmart')) AND product_gap: 'yes'"
}
},
{
"range": {
"capture_date": {
"format": "date",
"gte": "2020-05-13",
"lte": "2020-08-03"
}
}
}
]
}
}
}
Returns this result:
{
"took" : 129,
"timed_out" : false,
"_shards" : {
"total" : 514,
"successful" : 514,
"skipped" : 98,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 150,
"relation" : "eq"
},
"max_score" : null,
"hits" : [ ]
},
"aggregations" : {
"unique_products" : {
"value" : 38
}
}
}
Which correctly reports the number of unique_products as 38.
I am trying to edit this query so that it will actually return all 38 unique products, but am unsure how, I started by trying to return the top hit from the agg result:
GET _search
{
"size": 0,
"aggs": {
"unique_products":{
"cardinality":{
"field":"sku.keyword"
}
},
"top_hits": {
"size": 1,
"_source": {
"include": [
"sku", "source_store"
]
}
}
},
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "(merch1: 'Dog') AND ((store_name: 'walmart')) AND product_gap: 'yes'"
}
},
{
"range": {
"capture_date": {
"format": "date",
"gte": "2020-05-13",
"lte": "2020-08-03"
}
}
}
]
}
}
}
But got an error in my result saying:
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "Expected [START_OBJECT] under [size], but got a [VALUE_NUMBER] in [top_hits]",
"line": 10,
"col": 13
}
],
"type": "parsing_exception",
"reason": "Expected [START_OBJECT] under [size], but got a [VALUE_NUMBER] in [top_hits]",
"line": 10,
"col": 13
},
"status": 400
}
Is a cardinality agg still my best bet for returning all 38 unique products? thanks

While the cardinality aggregation gives the unique count, it cannot accept sub-aggs. In other words top_hits cannot be used here directly.
The approach was correct but you may first want to bucketize the skus and then retrieve the underlying docs using top_hits:
{
"size": 0,
"aggs": {
"unique_products": {
"cardinality": {
"field": "sku.keyword"
}
},
"terms_agg": {
"terms": {
"field": "sku.keyword",
"size": 100
},
"aggs": {
"top_hits_agg": {
"top_hits": {
"size": 1,
"_source": {
"include": [
"sku",
"source_store"
]
}
}
}
}
}
},
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "(merch1: 'Dog') AND ((store_name: 'walmart')) AND product_gap: 'yes'"
}
},
{
"range": {
"capture_date": {
"format": "date",
"gte": "2020-05-13",
"lte": "2020-08-03"
}
}
}
]
}
}
}
FYI The reason your query threw an exception is that top_hits is an agg type and, just like unique_products, it was missing its own name.

ES plugin query

I am running the following query and getting an error:
Query :
POST /sbl_nmon2019.12.02/_search?size=0
{"query":{
"bool":{
"must" : [{
"range":{"#timestamp":{"gte": "now-30m"}},
"aggs":{"max_cpu" : {"field":"cpu_consumed"}},
"match":{"Server" : "siebeldbnode01"}
}]
}
}}
Error:
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 5,
"col": 5
}
],
"type": "parsing_exception",
"reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 5,
"col": 5
},
"status": 400
}
The objective is to find max of a numberic field fron an index for last 30 minutes of a specific node.
SY

Your query is not properly formatted, it should look like this instead.
POST /sbl_nmon2019.12.02/_search
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"#timestamp": {
"gte": "now-30m"
}
}
},
{
"match": {
"Server": "siebeldbnode01"
}
}
]
}
},
"aggs": {
"max_cpu": {
"max": {
"field": "cpu_consumed"
}
}
}
}

MUST attribute values should be separate object.
Correct format:
POST /sbl_nmon2019.12.02/_search?size=0
{
"query": {
"bool": {
"must": [
{
"match": {
"Server": "siebeldbnode01"
}
},
{
"range": {
"#timestamp": {
"gte": "now-30m"
}
}
}
]
},
"aggs": {
"max_cpu": {
"field": "cpu_consumed"
}
}
}
}
Wrong Format:
"must" : [{
"range":{"#timestamp":{"gte": "now-30m"}},
"aggs":{"max_cpu" : {"field":"cpu_consumed"}},
"match":{"Server" : "siebeldbnode01"}
}]

How i can apply match and range in the query DSL in elasticsearch

I want use the match and range, my body in the query is :
{
"query": {
"match" : {
"netscaler.ipadd" : "192.68.2.39"
},
"range": {
"#timestamp": {
"gte":"2015-08-04T11:00:00",
"lt":"2015-08-04T12:00:00"
}
}
},
"aggs" : {
"avg_grade" : {
"avg" : { "field" : "netscaler.stat.system.memusagepcnt" }
}
}
}
and elsaticsearch responds with:
{
"error": {
"root_cause": [{
"type": "parsing_exception",
"reason": "[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 6,
"col": 7
}],
"type": "parsing_exception",
"reason": "[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 6,
"col": 7
},
"status": 400
}
I need know which is the best way or the correct way for do that.

If you have multiple queries you probably should wrap them inside a bool query:
{
"query": {
"bool": {
"must": [
{
"match": {
"netscaler.ipadd": "192.68.2.39"
}
},
{
"range": {
"#timestamp": {
"gte": "2015-08-04T11:00:00",
"lt": "2015-08-04T12:00:00"
}
}
}
]
}
},
"aggs": {
"avg_grade": {
"avg": {
"field": "netscaler.stat.system.memusagepcnt"
}
}
}
}
More info in the docs

Resources