I am running the following GET query within my Kibana Console and for some reason I am getting a error in the response window as follows :
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 6,
"col": 7
}
],
"type": "parsing_exception",
"reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 6,
"col": 7
},
"status": 400
}
GET _search
{
"query": {
"bool": {
"must": { "match_phrase": {"message": "some text}}
},
"filter": {
"range": {
"#timestamp":{ "time_zone": "+03:00", "lte": "now-1d/d", "gte": "now-1d/d" }
}
}
}
}
Both must and filter need to be wrapped inside the bool query:
{
"query": {
"bool": {
"must": [
{
"match_phrase": {
"message": "some text"
}
}
],
"filter": [
{
"range": {
"#timestamp": {
"time_zone": "+03:00",
"lte": "now-1d/d",
"gte": "now-1d/d"
}
}
}
]
}
}
}
By the way, it's good practice to use must, filter, should, and must_not as arrays.
That way, new conditions and clauses can be easily needed. On top of that, you'll have a clearer query structure and it'll be harder to confuse the query components with one another.
Related
trying to get this query below to work on GCP. need this to query for beta api's being used every 24 hours. keep getting error in the query. probably a simple syntax error, but im not seeing it.
GET /gcp-%2A/_search
{
"query": {
"range" : {
"timestamp" : {
"gte" : "now-1d/d",
"lt" : "now/d"
}
},
"wildcard": {
"protoPayload.methodName": {
"value": "*beta*",
"boost": 1.0,
"rewrite": "constant_score"
}
}
}
}
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 9,
"col": 13
}
],
"type": "parsing_exception",
"reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 9,
"col": 13
},
"status": 400
}
You were almost there:
GET /gcp-%2A/_search
{
"query": {
"bool": {
"must": [
{
"range": {
"timestamp": {
"gte": "now-1d/d",
"lt": "now/d"
}
}
},
{
"wildcard": {
"protoPayload.methodName": {
"value": "*beta*",
"boost": 1,
"rewrite": "constant_score"
}
}
}
]
}
}
}
I am running the following query and getting an error:
Query :
POST /sbl_nmon2019.12.02/_search?size=0
{"query":{
"bool":{
"must" : [{
"range":{"#timestamp":{"gte": "now-30m"}},
"aggs":{"max_cpu" : {"field":"cpu_consumed"}},
"match":{"Server" : "siebeldbnode01"}
}]
}
}}
Error:
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 5,
"col": 5
}
],
"type": "parsing_exception",
"reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 5,
"col": 5
},
"status": 400
}
The objective is to find max of a numberic field fron an index for last 30 minutes of a specific node.
SY
Your query is not properly formatted, it should look like this instead.
POST /sbl_nmon2019.12.02/_search
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"#timestamp": {
"gte": "now-30m"
}
}
},
{
"match": {
"Server": "siebeldbnode01"
}
}
]
}
},
"aggs": {
"max_cpu": {
"max": {
"field": "cpu_consumed"
}
}
}
}
MUST attribute values should be separate object.
Correct format:
POST /sbl_nmon2019.12.02/_search?size=0
{
"query": {
"bool": {
"must": [
{
"match": {
"Server": "siebeldbnode01"
}
},
{
"range": {
"#timestamp": {
"gte": "now-30m"
}
}
}
]
},
"aggs": {
"max_cpu": {
"field": "cpu_consumed"
}
}
}
}
Wrong Format:
"must" : [{
"range":{"#timestamp":{"gte": "now-30m"}},
"aggs":{"max_cpu" : {"field":"cpu_consumed"}},
"match":{"Server" : "siebeldbnode01"}
}]
GET _search
{
"query": {
"bool":{
"filter":{
"and":[
{
"term":{
"Server": "XYZ"
},
"range": {
"DateTime":{
"from": "2018-12-13T00:20:48.782Z",
"to":"2018-12-14T00:20:48.782Z"
}
}
}
]
}}
}
}
Above is my elastic query to fetch all records belongs to XYZ Server and within the time range, I have Server and DateTime columns in my dataset but throws below error:
{ "error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[term] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 9,
"col": 11
}
],
"type": "parsing_exception",
"reason": "[term] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 9,
"col": 11 }, "status": 400 }
What am i missing here!
Your query is malformed use the following query instead:
GET _search
{
"query": {
"bool": {
"filter": [
{
"term": {
"Server": "XYZ"
}
},
{
"range": {
"DateTime":{
"from": "2018-12-13T00:20:48.782Z",
"to": "2018-12-14T00:20:48.782Z"
}
}
}
]
}
}
}
You can't have and in your filter clause. There is no and clause in ES query.
Basically, you need to combine filter on term and range clause. Please read combine filters in ES for more information on this.
As your query is using an invalid clause, ES isn't able to parse your query.
Please use the proper query and you should be able to get the results from ES.
Please try below query, which should work fine and let me know if it doesn't work.
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"term": {
"Server": "XYZ"
}
},
{
"bool": {
"must": [
{
"range": {
"DateTime": {
"from": "2018-12-13T00:20:48.782Z",
"to": "2018-12-14T00:20:48.782Z"
}
}
}
]
}
}
]
}
}
}
}
}
The error message is clearly saying that the query is not correct.
You can check the official docs for range query and for bool query to se that there is no filter inside bool queries and there is not from, to in range queries.
Please check this query.
GET _search
{
"query": {
"bool": {
"must": [
{
"term": {
"Server": "XYZ"
}
},
{
"range": {
"DateTime":{
"gt": "2018-12-13T00:20:48.782Z",
"lte": "2018-12-14T00:20:48.782Z"
}
}
}
]
}
}
}
I want use the match and range, my body in the query is :
{
"query": {
"match" : {
"netscaler.ipadd" : "192.68.2.39"
},
"range": {
"#timestamp": {
"gte":"2015-08-04T11:00:00",
"lt":"2015-08-04T12:00:00"
}
}
},
"aggs" : {
"avg_grade" : {
"avg" : { "field" : "netscaler.stat.system.memusagepcnt" }
}
}
}
and elsaticsearch responds with:
{
"error": {
"root_cause": [{
"type": "parsing_exception",
"reason": "[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 6,
"col": 7
}],
"type": "parsing_exception",
"reason": "[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 6,
"col": 7
},
"status": 400
}
I need know which is the best way or the correct way for do that.
If you have multiple queries you probably should wrap them inside a bool query:
{
"query": {
"bool": {
"must": [
{
"match": {
"netscaler.ipadd": "192.68.2.39"
}
},
{
"range": {
"#timestamp": {
"gte": "2015-08-04T11:00:00",
"lt": "2015-08-04T12:00:00"
}
}
}
]
}
},
"aggs": {
"avg_grade": {
"avg": {
"field": "netscaler.stat.system.memusagepcnt"
}
}
}
}
More info in the docs
I am running the following GET query within my Kibana Console and for some reason I am getting a error in the response window as follows :
// error
[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]
Can anyone suggest why I am not able to use multiple match blocks within the 'should' section?
// response - if i take out one of the match blocks it works??
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 9,
"col": 13
}
],
"type": "parsing_exception",
"reason": "[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 9,
"col": 13
},
"status": 400
}
// my query
GET _search
{
"query": {
"bool": {
"should": [
{
"match": {
"text": "facebook advice"
},
"match": {
"profile": "facebook advice"
}
}
],
"minimum_number_should_match": 1,
"filter": {
"term": {
"accountid": "22"
}
}
}
}
Your query is malformed. Write it like this instead:
GET _search
{
"query": {
"bool": {
"should": [
{
"match": {
"text": "facebook advice"
}
},
{
"match": {
"profile": "facebook advice"
}
}
],
"minimum_number_should_match": 1,
"filter": {
"term": {
"accountid": "22"
}
}
}
}
}
Give the below query a try.. It works for me.
-------- working console query -------------
POST /usage-metering-stats/_search?size=10
{
"query": {
"bool": {
"must": [{
"term": {
"tenantId": "2222"
}
},
{
"term": {
"instanceId": "1212"
}
},
{
"term": {
"cspId": "25680"
}
},
{
"term": {
"api": "2"
}
}
]
}
},
"aggs": {
"totalCount": { "sum": { "field": "count" } }
}
}