In our cluster's kibana dashboard, I see a visualization which gives me the total count of incoming traffic to an application. What I want is to get the same incoming traffic count using a curl call so that I can automate some reporting. To do so, first I inspect the visualization and click on request, below is what I got
{
"aggs": {},
"size": 0,
"_source": {
"excludes": []
},
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
{
"field": "#timestamp",
"format": "date_time"
},
{
"field": "time",
"format": "date_time"
}
],
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"filter": [
{
"bool": {
"must_not": {
"bool": {
"should": [
{
"query_string": {
"fields": [
"remote_addr"
],
"query": "\\1\\0\\.\\0\\.*"
}
}
],
"minimum_should_match": 1
}
}
}
},
{
"bool": {
"filter": [
{
"bool": {
"must_not": {
"bool": {
"should": [
{
"query_string": {
"fields": [
"remote_addr"
],
"query": "\\1\\0\\0\\.\\0\\.*"
}
}
],
"minimum_should_match": 1
}
}
}
},
{
"bool": {
"filter": [
{
"bool": {
"must_not": {
"bool": {
"should": [
{
"match_phrase": {
"upstream_addr.keyword": “IP_ADDR:PORT”
}
}
],
"minimum_should_match": 1
}
}
}
},
{
"bool": {
"filter": [
{
"bool": {
"must_not": {
"bool": {
"should": [
{
"match_phrase": {
"upstream_addr.keyword": “IP_ADDR:PORT”
}
}
],
"minimum_should_match": 1
}
}
}
},
{
"bool": {
"filter": [
{
"bool": {
"must_not": {
"bool": {
"should": [
{
"match_phrase": {
"upstream_addr.keyword": “IP_ADDR:PORT”
}
}
],
"minimum_should_match": 1
}
}
}
},
{
"bool": {
"must_not": {
"bool": {
"should": [
{
"match_phrase": {
"upstream_addr.keyword": “IP_ADDR:PORT”
}
}
],
"minimum_should_match": 1
}
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
},
{
"match_all": {}
},
{
"match_phrase": {
"kubernetes.labels.app.keyword": {
"query": "kong"
}
}
},
{
"exists": {
"field": "status"
}
},
{
"range": {
"#timestamp": {
"format": "strict_date_optional_time",
"gte": "2021-01-05T09:32:46.946Z",
"lte": "2021-01-05T09:47:46.946Z"
}
}
}
],
"should": [],
"must_not": [
{
"bool": {
"should": [
{
"match_phrase": {
"http_user_agent": "CloudWatchSynthetics"
}
},
{
"match_phrase": {
"http_user_agent": "Amazon-Route53-Health-Check-Service"
}
}
],
"minimum_should_match": 1
}
}
]
}
}
}
Now, I took this request body, and made a curl call to elasticsearch like below
curl -u elastic:password -x GET "localhost:9200/_mget?pretty" -H 'Content-Type: application/json' -d'
<request_body_that_I_have_pasted_above>
'
But, this throws below error
{
"error" : {
"root_cause" : [
{
"type" : "parsing_exception",
"reason" : "unexpected token [START_OBJECT], expected [FIELD_NAME] or [START_ARRAY]",
"line" : 3,
"col" : 11
}
],
"type" : "parsing_exception",
"reason" : "unexpected token [START_OBJECT], expected [FIELD_NAME] or [START_ARRAY]",
"line" : 3,
"col" : 11
},
"status" : 400
}
Is my approach right? what am I doing wrong here?
Related
I'm very new to Elasticsearch. I'm using it to filtering and also boosting some fields at query time. This is the code part for boosting and filtering:
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"multi_match": {
"type": "best_fields",
"query": "exampleKeyword",
"fields": [
"exampleField1^0",
"exampleField2^50",
"exampleField3^10",
"exampleField4^10",
"exampleField5^5"
],
"boost": 50
}
}]
}
}
],
"filter": [
{
"bool": {
"must": [
{
"bool": {
"must": [
{
"term": {
"bla": {
"value": ""
}
}
}
]
}
}, {
"term": {
"active": {
"value": "true"
}
}
},
{
"range": {
"closingDate": {
"gte": "201710310000",
"lte": "999912312359"
}
}
},
Now I want to boost some specific documents. I'll give an array of integers for example Field6 and if my search results contain the elements of the array, these documents should get boosted with, I dont know, 100 to my scale.
How can I do this? Finally I dont want to expand the result set. Just want to boost more the desired ids if results contain these ids.
Using function_score you can do something around these lines:
{
"query": {
"bool": {
"must": [
{
"function_score": {
"query": {
"bool": {
"should": [
{
"multi_match": {
"type": "best_fields",
"query": "bla",
"fields": [
"exampleField1^0",
"exampleField2^50",
"exampleField3^10",
"exampleField4^10",
"exampleField5^5"
],
"boost": 50
}
}
]
}
},
"functions": [
{
"filter": {
"ids": {
"values": [
1,
5
]
}
},
"weight": 10
}
],
"score_mode": "max",
"boost_mode": "multiply"
}
}
],
"filter": [
{
"bool": {
"must": [
{
"bool": {
"must": [
{
"term": {
"bla": {
"value": ""
}
}
}
]
}
},
{
"term": {
"active": {
"value": "true"
}
}
},
{
"range": {
"closingDate": {
"gte": "201710310000",
"lte": "999912312359"
}
}
}
]
}
}
]
}
}
}
I want to search fulltext on title and body and filter on answer count.
I read the elasticsearch documentation for combining filters and built this query.
"query": {
"bool": {
"minimum_should_match": "25%",
"should": [
{
"query_string": {
"query": "elasticsearch",
"analyze_wildcard": "True",
"fields": [
"body"
]
}
},
{
"query_string": {
"query": "test",
"analyze_wildcard": "True",
"fields": [
"title"
]
}
}
]
},
"constant_score": {
"filter": {
"query": {
"bool": {
"must": [
{
"range": {
"answer_count": {
"gte": 0,
"lte": 0
}
}
}
]
}
}
}
}
}
}
It keeps giving me this error.
RequestError: TransportError(400, u'parsing_exception', u'no [query] registered for [filter]')
You need to write it like this:
{
"query": {
"bool": {
"minimum_should_match": "25%",
"should": [
{
"query_string": {
"query": "elasticsearch",
"analyze_wildcard": "True",
"fields": [
"body"
]
}
},
{
"query_string": {
"query": "test",
"analyze_wildcard": "True",
"fields": [
"title"
]
}
}
],
"filter": [
{
"range": {
"answer_count": {
"gte": 0,
"lte": 0
}
}
}
]
}
}
}
I have this fairly simple es query and filter, using ES 2.3.5:
{
"query": {
"multi_match": {
"query": "image",
"fields": [
"ToRecipients"
"From",
"Subject"
]
}
},
"filter": {
"bool": {
"must": [
{
"match": {
"ToRecipients": "johndoe"
}
}
]
}
},
"sort": [
{
"DateTimeSent": {
"order": "desc"
}
}
]
}
For some reason it is not filtering by the ToRecipients field. The results coming back have all kinds of values for the field not just johndoe.
Where have I gone wrong?
Try this query instead:
{
"query": {
"bool": {
"must": [
{
"multi_match": {
"query": "image",
"fields": [
"ToRecipients",
"From",
"Subject"
]
}
}
],
"filter": {
"bool": {
"must": [
{
"match": {
"ToRecipients": "johndoe"
}
}
]
}
}
}
},
"sort": [
{
"DateTimeSent": {
"order": "desc"
}
}
]
}
Posting this to elastic search throws exception
org.elasticsearch.index.query.QueryParsingException: [myapp] No filter registered for [match]
http://localhost:9200/
GET myapp/_search/
{
"query": {
"filtered": {
"filter": {
"bool": {
"must": [
{
"match": {
"userName": "Micky"
}
},
{
"match": {
"Age": 21
}
}
],
"should": [],
"must_not": []
}
}
}
},
"from": 0,
"size": 20
}
why this query is wrong (technical detail)?
There is no filter named match, you can either use term instead
POST myapp/_search/
{
"query": {
"filtered": {
"filter": {
"bool": {
"must": [
{
"term": {
"userName": "Micky"
}
},
{
"term": {
"Age": 21
}
}
],
"should": [],
"must_not": []
}
}
}
},
"from": 0,
"size": 20
}
or use a constant_score query instead of filtered since you have no filters.
POST myapp/_search/
{
"query": {
"constant_score": {
"query": {
"bool": {
"must": [
{
"match": {
"userName": "Micky"
}
},
{
"match": {
"Age": 21
}
}
],
"should": [],
"must_not": []
}
}
}
},
"from": 0,
"size": 20
}
{
"sort": [
{
"is_active": "asc"
}
],
"fields": [
"is_job_seeking", "is_active"
],
"query": {
"bool": {
"must": [
{
"bool": {
"must": {
"term": {
"is_job_seeking": 1
}
}
}
}
]
}
}
}
this query return me all document which has is_job_seeking=1, and is_active=0 and is_active=1 and that's fine, now when I want to boost score for document which has is_active=1 I have add boosting like
{
"sort": [
{
"is_active": "asc"
}
],
"fields": [
"is_job_seeking", "is_active"
],
"query": {
"bool": {
"must": [
{
"bool": {
"must": {
"term": {
"is_job_seeking": 1
}
}
}
},
{
"boosting": {
"positive": {
"term": {
"is_active": 1
}
},
"negative": {
"term": {
"is_active": 0
}
},
"negative_boost": 0.3
}
}
]
}
}
}
but this give me results only with is_active=1
Try this:
{
"sort": [
{
"is_active": "asc"
}
],
"fields": [
"is_job_seeking",
"is_active"
],
"query": {
"bool": {
"must": [
{
"bool": {
"must": {
"term": {
"is_job_seeking": 1
}
}
}
}
],
"should": [
{
"boosting": {
"positive": {
"term": {
"is_active": 1
}
},
"negative": {
"term": {
"is_active": 0
}
},
"negative_boost": 0.3
}
}
]
}
}
}