I have two indexes "indexname" and "indexnamelookup" in the elasticsearch instance. And I have created index pattern indexname* in kibana and trying to join two fields "IP"(field in indexname) and "location.IP"(field in indexnamelookup).
GET /indexname*/_search?q=*
{
"query": {
"multi_match": {
"query": "",
"fields": [
"IP",
"location.IP"
]
}
}
}
Above query is working fine in elasticsearch. But it is not working in kibana. Has anyone else faced a similar situation?
The ?q=* in your query turns it into a match all that ignores the body.
I assume we're talking about Discover in Kibana: The query location.IP : "foo" or IP : "foo" will work.
Alternatively you can use your Elasticsearch query in Kibana as well if you add a filter and then use the Query DSL:
Related
Imagine that I have a specific data string and a specific query. The simple way to check that the query matches the data is to load the data into the Elastic index and run the online query. But can I do it without putting it into the index?
Maybe there are some open-source libraries that implement the Elastic search functionality offline, so I can call something like getScore(data, query)? Or it's possible to implement by using specific API endpoints?
Thanks in advance!
What you can do is to leverage the percolator type.
What this allows you to do is to store the query instead of the document and then test whether a document would match the stored query.
For instance, you first create an index with a field of type percolator that will contain your query (you also need to add in the mapping any field used by the query so ES knows what their types are):
PUT my_index
{
"mappings": {
"properties": {
"query": {
"type": "percolator"
},
"message": {
"type": "text"
}
}
}
}
Then you can index a real query, like this:
PUT my_index/_doc/match_value
{
"query" : {
"match" : {
"message" : "bonsai tree"
}
}
}
Finally, you can check using the percolate query if the query you've just stored would match
GET /my_index/_search
{
"query" : {
"percolate" : {
"field" : "query",
"document" : {
"message" : "A new bonsai tree in the office"
}
}
}
}
So all you need to do is to only store the query (not the documents), and then you can use the percolate query to check if the documents would have been selected by the query you stored, without having to store the documents themselves.
I am using Elastic 6.1+
I have created an index and added some values to it, the index mapping is text and numbers.
I want to create a multi_match on all of the fields in the index, query a text or a number and get the results back.
Also i would like to define that the score of field1 on the index is boosted
For some reason once i add the fields array it only search on that fields (added it in order to be able to define which field i want to boost and how much) and if i add to the fields array the "*" as field it return an error.
GET MyIndex/_search
{
"query": {
"multi_match": {
"query": "test1",
"fields": [
"field1^3",
"*"
]
}
}
}
Thank you
Apparently adding
"lenient": true
to the query solved the problem
In elasticsearch, i can access the default search api like
server: 9200/index/_search?q=keyword but how can i replicate this if I am building the query myself? I've tried multi_match and query string, but the result set seem a bit different than the default search api.
PS: i am using elasticsearch PHP client, if that matters
The equivalent query to server:9200/index/_search?q=keyword is a query_string query like this one
{
"query": {
"query_string": {
"query": "keyword"
}
}
}
My logstash service sends the logs to elasticsearch as daily indices.
elasticsearch {
hosts => [ "127.0.0.1:9200" ]
index => "%{type}-%{+YYYY.MM.dd}"
}
Does Elasticsearch provides the API to lookup the indices before specific date?
For example, how could I get the indices created before 2015-12-15 ?
The only time I really care about what indexes are created is when I want to close/delete them using curator. Curator has "age" type features built in, if that's also your use case.
I think you are looking for Indices Query have a look here
Here is an example:
GET /_search
{
"query": {
"indices" : {
"query": {
"term": {"description": "*"}
},
"indices" : ["2015-01-*", "2015-12-*"],
"no_match_query": "none"
}
}
}
Each index has a creation_date field.
Since the number of indices is supposed to be quite small there's no such feature as 'searching for indices'. So you just get their metadata and filter them inside your app. The creation_date is also available via _cat API.
I need to write a query which will search across all indices in Elastisearch and return me a list of all indices where at least one document meets query requirements.
For now I`m getting top 2000 documents and distinct them by index name.
To search across all indices in the elastcsearch, you can use the _all option.
You can try similar to following, to get the indices which gets hits for the query
POST _all/_search
{
"query": {
"filtered": {
"query": {
"query_string": {
"query": "you search criteia"
}
}
}
}
}
Most APIs that refer to an index parameter support execution across multiple indices, using simple test1,test2,test3 notation (or _all for all indices)
You can extract the index name from the result set which will be present under _index
sample result:
"hits": [
{
"_index": "index-name",
}
]