GET _search
{
"query": {
"bool":{
"filter":{
"and":[
{
"term":{
"Server": "XYZ"
},
"range": {
"DateTime":{
"from": "2018-12-13T00:20:48.782Z",
"to":"2018-12-14T00:20:48.782Z"
}
}
}
]
}}
}
}
Above is my elastic query to fetch all records belongs to XYZ Server and within the time range, I have Server and DateTime columns in my dataset but throws below error:
{ "error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[term] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 9,
"col": 11
}
],
"type": "parsing_exception",
"reason": "[term] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 9,
"col": 11 }, "status": 400 }
What am i missing here!
Your query is malformed use the following query instead:
GET _search
{
"query": {
"bool": {
"filter": [
{
"term": {
"Server": "XYZ"
}
},
{
"range": {
"DateTime":{
"from": "2018-12-13T00:20:48.782Z",
"to": "2018-12-14T00:20:48.782Z"
}
}
}
]
}
}
}
You can't have and in your filter clause. There is no and clause in ES query.
Basically, you need to combine filter on term and range clause. Please read combine filters in ES for more information on this.
As your query is using an invalid clause, ES isn't able to parse your query.
Please use the proper query and you should be able to get the results from ES.
Please try below query, which should work fine and let me know if it doesn't work.
{
"query": {
"constant_score": {
"filter": {
"bool": {
"must": [
{
"term": {
"Server": "XYZ"
}
},
{
"bool": {
"must": [
{
"range": {
"DateTime": {
"from": "2018-12-13T00:20:48.782Z",
"to": "2018-12-14T00:20:48.782Z"
}
}
}
]
}
}
]
}
}
}
}
}
The error message is clearly saying that the query is not correct.
You can check the official docs for range query and for bool query to se that there is no filter inside bool queries and there is not from, to in range queries.
Please check this query.
GET _search
{
"query": {
"bool": {
"must": [
{
"term": {
"Server": "XYZ"
}
},
{
"range": {
"DateTime":{
"gt": "2018-12-13T00:20:48.782Z",
"lte": "2018-12-14T00:20:48.782Z"
}
}
}
]
}
}
}
Related
I'm trying to create a simple query to return matching deploymentId from the documents in index logstash.
I'm able to search match query but when adding time range getting following exemption.
Error:
"type" : "parsing_exception",
"reason" : "[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
I want only the last 15 min records matching the deploymentId.
GET /logstash-dev-2021.12.03/_search
{
"query": {
"match": {
"deploymentId" : "64a5d214-368c-4760"
},
"range": {
"time": {
"gte": "now-15m",
"lte": "now"
}
}
}
}
I don't think you can use range and match in the same query,
You could try to use a boolean query.
GET /logstash-dev-2021.12.03/_search
{
"query": {
"bool": {
"filter": [
{
"range": {
"time": {
"gte": "now-15m",
"lte": "now"
}
}
}
],
"must": [
{
"match": {
"deploymentId" : "64a5d214-368c-4760"
}
}
]
}
}
}
I am running the following GET query within my Kibana Console and for some reason I am getting a error in the response window as follows :
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 6,
"col": 7
}
],
"type": "parsing_exception",
"reason": "[bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 6,
"col": 7
},
"status": 400
}
GET _search
{
"query": {
"bool": {
"must": { "match_phrase": {"message": "some text}}
},
"filter": {
"range": {
"#timestamp":{ "time_zone": "+03:00", "lte": "now-1d/d", "gte": "now-1d/d" }
}
}
}
}
Both must and filter need to be wrapped inside the bool query:
{
"query": {
"bool": {
"must": [
{
"match_phrase": {
"message": "some text"
}
}
],
"filter": [
{
"range": {
"#timestamp": {
"time_zone": "+03:00",
"lte": "now-1d/d",
"gte": "now-1d/d"
}
}
}
]
}
}
}
By the way, it's good practice to use must, filter, should, and must_not as arrays.
That way, new conditions and clauses can be easily needed. On top of that, you'll have a clearer query structure and it'll be harder to confuse the query components with one another.
I am unable to figure out what is wrong with below query.
GET website/_search
{
"query": {
"bool": {
"filter": [
{
"range": {
"#timestamp": {
"gte": "now-1d/d",
"lt": "now/d"
}
},
"match": {
"aspnet-request-url.keyword": "abc.com/Default.aspx"
}
}
]
}
}
}
Both range and match are working fine independently.
As per documentation, it says when merging more than one query we should use either must , filter, must-not under bool query.
Still it is giving [range] malformed query, expected [END_OBJECT] but found [FIELD_NAME].
Any help is appreciated.
[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]
It is clear from the above error, that the query is not properly formed. Please refer to this to know more about the structure of the query and filter context.
You are missing some brackets, try out the below search query
{
"query": {
"bool": {
"filter": [
{
"range": {
"#timestamp": {
"gte": "now-1d/d",
"lt": "now/d"
}
}
},
{ <-- note this
"match": {
"aspnet-request-url.keyword": "abc.com/Default.aspx"
}
}
]
}
}
}
I am running the following query and getting an error:
Query :
POST /sbl_nmon2019.12.02/_search?size=0
{"query":{
"bool":{
"must" : [{
"range":{"#timestamp":{"gte": "now-30m"}},
"aggs":{"max_cpu" : {"field":"cpu_consumed"}},
"match":{"Server" : "siebeldbnode01"}
}]
}
}}
Error:
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 5,
"col": 5
}
],
"type": "parsing_exception",
"reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 5,
"col": 5
},
"status": 400
}
The objective is to find max of a numberic field fron an index for last 30 minutes of a specific node.
SY
Your query is not properly formatted, it should look like this instead.
POST /sbl_nmon2019.12.02/_search
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"#timestamp": {
"gte": "now-30m"
}
}
},
{
"match": {
"Server": "siebeldbnode01"
}
}
]
}
},
"aggs": {
"max_cpu": {
"max": {
"field": "cpu_consumed"
}
}
}
}
MUST attribute values should be separate object.
Correct format:
POST /sbl_nmon2019.12.02/_search?size=0
{
"query": {
"bool": {
"must": [
{
"match": {
"Server": "siebeldbnode01"
}
},
{
"range": {
"#timestamp": {
"gte": "now-30m"
}
}
}
]
},
"aggs": {
"max_cpu": {
"field": "cpu_consumed"
}
}
}
}
Wrong Format:
"must" : [{
"range":{"#timestamp":{"gte": "now-30m"}},
"aggs":{"max_cpu" : {"field":"cpu_consumed"}},
"match":{"Server" : "siebeldbnode01"}
}]
I am running the following GET query within my Kibana Console and for some reason I am getting a error in the response window as follows :
// error
[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]
Can anyone suggest why I am not able to use multiple match blocks within the 'should' section?
// response - if i take out one of the match blocks it works??
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 9,
"col": 13
}
],
"type": "parsing_exception",
"reason": "[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 9,
"col": 13
},
"status": 400
}
// my query
GET _search
{
"query": {
"bool": {
"should": [
{
"match": {
"text": "facebook advice"
},
"match": {
"profile": "facebook advice"
}
}
],
"minimum_number_should_match": 1,
"filter": {
"term": {
"accountid": "22"
}
}
}
}
Your query is malformed. Write it like this instead:
GET _search
{
"query": {
"bool": {
"should": [
{
"match": {
"text": "facebook advice"
}
},
{
"match": {
"profile": "facebook advice"
}
}
],
"minimum_number_should_match": 1,
"filter": {
"term": {
"accountid": "22"
}
}
}
}
}
Give the below query a try.. It works for me.
-------- working console query -------------
POST /usage-metering-stats/_search?size=10
{
"query": {
"bool": {
"must": [{
"term": {
"tenantId": "2222"
}
},
{
"term": {
"instanceId": "1212"
}
},
{
"term": {
"cspId": "25680"
}
},
{
"term": {
"api": "2"
}
}
]
}
},
"aggs": {
"totalCount": { "sum": { "field": "count" } }
}
}