Hi I want to join two queries in one in elasticsearch, but I don't know how to do it: I think I should do an aggregation but I don't know very clear how to do it. Could you help me? My ES version is 5.1.2.
First filter by status and name:
POST test_lite/_search
{
"aggs": {
"filtered": {
"filter": {
"bool": {
"must": [
{
"match": {
"STATUS": "Now"
}
},
{
"match": {
"NAME": "PRUDENTL"
}
}
]
}
}
}
}
}
Look for in the filtered records for the word filtered in description:
POST /test_lite/_search
{
"query": {
"wildcard" : { "DESCRIPTION" : "*english*" }
}
}
The only query needed is:
POST test_lite/_search
{
"query": {
"bool": {
"must": [
{
"match": {
"STATUS": "Now"
}
},
{
"match": {
"NAME": "PRUDENTL"
}
},
{"wildcard" : { "DESCRIPTION" : "*english*" }}
]
}
}
}
Related
I'm trying to make a query to fetch information on two different indexes in Elastic:
GET _search
{
"query": {
"bool": {
"must" : [{
"bool" : {
"should" : [{
"match" : {
"action": "VoiceQueueAbandonAction"
}},
{
"match" : {
"action": "QualifyVoiceWel"
}
}
]
}
}
],
"filter": {
"range": {
"created_at": {
"gte": "2022-05-04 00:00:00",
"lte": "2022-05-04 23:59:59"
}
}
}
}
}
}
It's coming correctly, but it's duplicating information, because in the index "qualifications" and "queueevents" there is the same action "QualifyVoiceWel".
In this case, I would need to filter that the "QualifyVoiceWel" field came only from the qualifications index and not from queueevents either!
You can add bool clause inside existing should like below:
{
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"match": {
"action": "VoiceQueueAbandonAction"
}
},
{
"bool": {
"must": [
{
"match": {
"action": "QualifyVoiceWel"
}
},
{
"term": {
"_index": {
"value": "qualifications"
}
}
}
]
}
}
]
}
}
],
"filter": {
"range": {
"created_at": {
"gte": "2022-05-04 00:00:00",
"lte": "2022-05-04 23:59:59"
}
}
}
}
}
}
Two options based on your requirements:
Query against proper index by /<index_name>/_search
OR
Index name is available to use in queries as _index. This documentation gives more details
I have built two queries in ElasticSearch to get the counts for each error message. for example, the first query is to get how many error messages related to "was not found" error
GET /logstash*/_search
{
"query": {
"bool": {
"filter": {
"bool": {
"must": [
{
"match": {
"kubernetes.pod_name": "api"
}
},
{
"match": {
"log": "error"
}
},
{
"match": {
"log": {
"query": "was not found",
"operator": "and"
}
}
},
{
"range": {"#timestamp": {
"time_zone": "CET",
"gt": "now-7d",
"lte": "now"}}
}
]
}
}
}
},
"aggs" : {
"type_count" : {
"value_count" : {
"script" : {
"source" : "doc['log.keyword'].value"
}
}
}
}
}
The second query is to get the count of error messages related to "Duplicate Entry" error
GET /logstash*/_search
{
"query": {
"bool": {
"filter": {
"bool": {
"must": [
{
"match": {
"kubernetes.pod_name": "api"
}
},
{
"match": {
"log": "error"
}
},
{
"match": {
"log": {
"query": "Duplicate entry",
"operator": "and"
}
}
},
{
"range": {"#timestamp": {
"time_zone": "CET",
"gt": "now-7d",
"lte": "now"}}
}
]
}
}
}
},
"aggs" : {
"type_count" : {
"value_count" : {
"script" : {
"source" : "doc['log.keyword'].value"
}
}
}
}
}
My boss really wants me to combine these individual query into a one big query, then get the list of counts for each error messages in one output. Since we have a lot of error messages, which means we have to write each query for each error message, then we have to run each query to get the counts. Is there a way I can click one run to get the list of counts?
I have been trying use query string query and looking for solutions on either Stack Overflow and Documentation. However, there is no luck
You can use filter aggregation along with the value_count aggregation to combine these two queries. In both the queries, out of the 4 queries inside must clause only one differs. You can take this out and combine them with the two filter aggregations as below:
{
"query": {
"bool": {
"filter": {
"bool": {
"must": [
{
"match": {
"kubernetes.pod_name": "api"
}
},
{
"match": {
"log": "error"
}
},
{
"range": {
"#timestamp": {
"time_zone": "CET",
"gt": "now-7d",
"lte": "now"
}
}
}
]
}
}
}
},
"aggs": {
"not_found_count": {
"filter": {
"match": {
"log": {
"query": "was not found",
"operator": "and"
}
}
},
"aggs": {
"count": {
"value_count": {
"script": {
"source": "doc['log.keyword'].value"
}
}
}
}
},
"duplicate_entry_count": {
"filter": {
"match": {
"log": {
"query": "Duplicate entry",
"operator": "and"
}
}
},
"aggs": {
"count": {
"value_count": {
"script": {
"source": "doc['log.keyword'].value"
}
}
}
}
}
}
}
We are using Elasticsearch 1.6 and I have a working three term query that I need to modify with a stand alone working missing filter. Here is the current code:
The original term query with three entries
GET ...
{
"query": {
"nested": {
"path": "MAIN_FIELD",
"query": {
"bool": {
"must": [
{
"term": {
"MAIN_FIELD.ID": 1234
}
},
{
"term": {
"MAIN_FIELD.OTHER_IND": "false"
}
},
{
"term": {
"MAIN_FIELD.INDICATOR": "Y"
}
}
]
}
}
}
}
}
The stand alone missing query:
GET ...
{
"query" : {
"filtered" : {
"filter" : {
"missing" : { "field" : "MAIN_FIELD.OTHER_IND" }
}
}
}
}
How do I change the term query from the first query:
"term": {
"MAIN_FIELD.OTHER_IND": "false"
}
to use a missing filter?
I think what you want is below:
{
"query": {
"nested": {
"path": "MAIN_FIELD",
"query": {
"bool": {
"must": [
{
"term": {
"MAIN_FIELD.ID": 1234
}
},
{
"filtered": {
"filter": {
"missing": {
"field": "MAIN_FIELD.OTHER_IND"
}
}
}
},
{
"term": {
"MAIN_FIELD.INDICATOR": "Y"
}
}
]
}
}
}
}
}
I am trying to figure out how to AND my Elastic Search query. I've tried a few different variations but I am always hitting a parser error.
What I have is a structure like this:
{
"title": "my title",
"details": [
{ "name": "one", "value": 100 },
{ "name": "two", "value": 21 }
]
}
I have defined details as a nested type in my mappings. What I'm trying to achieve is a query where it matches a part of the title and it matches various details by the detail's name and value.
I have the following query which gets me nearly there but I haven't been able to figure out how to AND the details. As an example I'd like to find anything that has:
detail of one with value less than or equal to 100
AND detail of two with value less than or equal to 25
The following query only allows me to search by one detail name/value:
"query" : {
"bool": {
"must": [
{ "match": {"title": {"query": titleQuery, "operator": "and" } } },
{
"nested": {
"path": "details",
"query": {
"bool": {
"must": [
{ "match": {"details.name" : "one"} },
{ "range": {"details.value" : { "lte": 100 } } }
]
}
}
} // nested
}
] // must
}
}
As a second question, would it be better to query the title and then move the nested part of the query into a filter?
You were so close! Just add another "nested" clause in your outer "must":
POST /test_index/_search
{
"query": {
"bool": {
"must": [
{
"match": {
"title": {
"query": "title",
"operator": "and"
}
}
},
{
"nested": {
"path": "details",
"query": {
"bool": {
"must": [
{"match": {"details.name": "one" } },
{ "range": { "details.value": { "lte": 100 } } }
]
}
}
}
},
{
"nested": {
"path": "details",
"query": {
"bool": {
"must": [
{"match": {"details.name": "two" } },
{ "range": { "details.value": { "lte": 25 } } }
]
}
}
}
}
]
}
}
}
Here is some code I used to test it:
http://sense.qbox.io/gist/1fc30d49a810d22e85fa68d781114c2865a7c92e
EDIT: Oh, the answer to your second question is "yes", though if you're using 2.0 things have changed a little.
Hi I am trying to get a query to filter based on values in an array of objects, the structure is like this
{
"_index": "test",
"_type": "home",
"_id": "1247816",
"_score": 1,
"_source": {
"TranCust": {
"CustId": 1247816,
"sourceNodeName": "SRC"
},
"TranList": [
{
"TranId": 2431015,
"batchNr": "211"
},
{
"TranId": 2431016,
"batchNr": "213"
}
]
}
}
as an example, i would like to find all documents with a TranId of 2431015, my query looks like this
{
"query": {
"bool": {
"must": [
{
"nested": {
"path": "TranList",
"query": {
"bool": {
"must": [
{
"match": {
"TranId": "2431015"
}
}
]
}
}
}
}
]
}
}
}
it seems to return no results, is there a better way to try and write this query ?
EDIT,
here are the mappings put in
{
"mappings": {
"home": {
"properties": {
"TranCust": {
"type": "object"
}
},
"TranList": {
"type": "nested"
}
}
}
}
}
ok, so after lots of attempts this is how i got it to work
{
"query": {
"bool": {
"must": [{
"nested": {
"path": "TranList",
"query": {
"bool": {
"must": [{
"match": {
"TranList.TranId": "2431015"
}
}]
}
}
}
}]
}
}
}
Not sure what was your ES version, but the following should ideally work for ES 6.x+ versions. You don't actually need to wrap your nested query with bool:must
{
"query": {
"nested" : {
"path" : "TranList",
"query" : {
"bool" : {
"must" : [
{ "match" : {"TranList.TranId" : "2431015"} }
]
}
}
}
}
}
{
"query": {
"query_string": {
"default_field": "TranList.TranId",
"query": "2431015"
}
}
}