malformed query, expected END_OBJECT but found FIELD_NAME error in Kibana (Elastic Search) - elasticsearch

I am running the following GET query within my Kibana Console and for some reason I am getting a error in the response window as follows :
// error
[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]
Can anyone suggest why I am not able to use multiple match blocks within the 'should' section?
// response - if i take out one of the match blocks it works??
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 9,
"col": 13
}
],
"type": "parsing_exception",
"reason": "[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 9,
"col": 13
},
"status": 400
}
// my query
GET _search
{
"query": {
"bool": {
"should": [
{
"match": {
"text": "facebook advice"
},
"match": {
"profile": "facebook advice"
}
}
],
"minimum_number_should_match": 1,
"filter": {
"term": {
"accountid": "22"
}
}
}
}


Your query is malformed. Write it like this instead:
GET _search
{
"query": {
"bool": {
"should": [
{
"match": {
"text": "facebook advice"
}
},
{
"match": {
"profile": "facebook advice"
}
}
],
"minimum_number_should_match": 1,
"filter": {
"term": {
"accountid": "22"
}
}
}
}
}


Give the below query a try.. It works for me.
-------- working console query -------------
POST /usage-metering-stats/_search?size=10
{
"query": {
"bool": {
"must": [{
"term": {
"tenantId": "2222"
}
},
{
"term": {
"instanceId": "1212"
}
},
{
"term": {
"cspId": "25680"
}
},
{
"term": {
"api": "2"
}
}
]
}
},
"aggs": {
"totalCount": { "sum": { "field": "count" } }
}
}

Related

Elastic search match query with pattern

I have a column where all the values start with "ARK". For example
number
ARK101223
ARK123422
ARK234002
ARK234177
I need to get all the records for the column number that matches with ARK using elastic search. Whereever I have the number as column and matches with ARK, I need to retrieve those records only. Some records will not have number as column so I want those to be ignored..
Below is the query that I tried but not working
{
"query": {
"bool": {
"must": [
{
"prefix": {
"number.keyword": "ARK"
}
},
{
"range": {
"date_1": {
"gte": "2022-01-01 01:00:00",
"lte": "2022-03-10 01:00:00"
}
},
"sort": [
{
"date_1": {
"order": "asc"
},
"date_2": {
"order": "asc"
},
"ts": {
"order": "asc"
}
}
]
}
]
}
}
}
Below is the error:
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 1,
"col": 155
}
],
"type": "x_content_parse_exception",
"reason": "[1:155] [bool] failed to parse field [must]",
"caused_by": {
"type": "parsing_exception",
"reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 1,
"col": 155
}
},
"status": 400
}

If Elasticsearch generated mapping for your index, than you will have .keyword field for your number text field and on that you can make prefix query to get expected result.
{
"query": {
"prefix": {
"number.keyword": "ARK"
}
}
}
Update:
{
"query": {
"bool": {
"must": [
{
"prefix": {
"number.keyword": "ARK"
}
},
{
"range": {
"date_1": {
"gte": "2022-01-01 01:00:00",
"lte": "2022-03-10 01:00:00"
}
}
}
]
}
},
"sort": [
{
"date_1": {
"order": "asc"
},
"date_2": {
"order": "asc"
},
"ts": {
"order": "asc"
}
}
]
}

Nested aggregation in nested aggregation query

Having the below (abbreviated) document in Elastic Search 7.1. Focusing on questions.influencerReponse.selectAllThatApplyResponses path.
{
"questions": [
{
"questionId": "79cfc6e7-731e-4d83-9dd6-82f4f39fff03",
"questionKind": "select_all_that_apply",
"questionText": "Have you heard of any of the following charities?",
"questionOptions": {
"1": "Plan International",
"2": "Young Women's Trust",
"3": "Women For Refugee Women",
"4": "The FPA"
},
"influencerReponse": {
"questionId": "79cfc6e7-731e-4d83-9dd6-82f4f39fff03",
"questionKind": "select_all_that_apply",
"text": null,
"questionOrder": 3,
"order": null,
"shortAnswerResponse": null,
"viewerSentimentResponse": null,
"yesNoResponse": null,
"selectAllThatApplyResponses": [
{
"key": "2",
"value": "Young Women's Trust"
}
]
}
}
]
}
I want to get the term aggregations for the key or the value, both are keyword type. I accomplished that before but not in the level of selectAllThatApplyResponses nested type.
Here's what I have so far and throwing the below error.
{
"query": {
"bool": {
"must": [
{
"term": {
"sponsorshipId": {
"value": "33c7140f-23ae-46f2-a0fe-49e2251114e4"
}
}
}
]
}
},
"track_total_hits": true,
"size": 0,
"aggs": {
"select_all_that_apply_responses": {
"nested": {
"path": "questions"
},
"aggs": {
"filter_types": {
"filter": {
"bool": {
"must": [
{
"match": {
"questions.questionId": "79cfc6e7-731e-4d83-9dd6-82f4f39fff03"
}
}
]
}
},
"aggs": {
"select_all_that_apply_nested": {
"nested": {
"path": "questions.influencerReponse.selectAllThatApplyResponses"
},
"aggs": {
"terms": {
"field": "questions.influencerReponse.selectAllThatApplyResponses.key"
}
}
}
}
}
}
}
}
}
I am receiving the below error.
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "Expected [START_OBJECT] under [field], but got a [VALUE_STRING] in [terms]",
"line": 42,
"col": 46
}
],
"type": "parsing_exception",
"reason": "Expected [START_OBJECT] under [field], but got a [VALUE_STRING] in [terms]",
"line": 42,
"col": 46
},
"status": 400
}

The final terms agg needs a name too -- I called it select_all_that_apply_nested_terms.
...
"select_all_that_apply_nested":{
"nested":{
"path":"questions.influencerReponse.selectAllThatApplyResponses"
},
"aggs":{
"select_all_that_apply_nested_terms":{
"terms":{
"field":"questions.influencerReponse.selectAllThatApplyResponses.key"
}
}
}
}
...

ES plugin query

I am running the following query and getting an error:
Query :
POST /sbl_nmon2019.12.02/_search?size=0
{"query":{
"bool":{
"must" : [{
"range":{"#timestamp":{"gte": "now-30m"}},
"aggs":{"max_cpu" : {"field":"cpu_consumed"}},
"match":{"Server" : "siebeldbnode01"}
}]
}
}}
Error:
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 5,
"col": 5
}
],
"type": "parsing_exception",
"reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 5,
"col": 5
},
"status": 400
}
The objective is to find max of a numberic field fron an index for last 30 minutes of a specific node.
SY

Your query is not properly formatted, it should look like this instead.
POST /sbl_nmon2019.12.02/_search
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"#timestamp": {
"gte": "now-30m"
}
}
},
{
"match": {
"Server": "siebeldbnode01"
}
}
]
}
},
"aggs": {
"max_cpu": {
"max": {
"field": "cpu_consumed"
}
}
}
}

MUST attribute values should be separate object.
Correct format:
POST /sbl_nmon2019.12.02/_search?size=0
{
"query": {
"bool": {
"must": [
{
"match": {
"Server": "siebeldbnode01"
}
},
{
"range": {
"#timestamp": {
"gte": "now-30m"
}
}
}
]
},
"aggs": {
"max_cpu": {
"field": "cpu_consumed"
}
}
}
}
Wrong Format:
"must" : [{
"range":{"#timestamp":{"gte": "now-30m"}},
"aggs":{"max_cpu" : {"field":"cpu_consumed"}},
"match":{"Server" : "siebeldbnode01"}
}]

How i can apply match and range in the query DSL in elasticsearch

I want use the match and range, my body in the query is :
{
"query": {
"match" : {
"netscaler.ipadd" : "192.68.2.39"
},
"range": {
"#timestamp": {
"gte":"2015-08-04T11:00:00",
"lt":"2015-08-04T12:00:00"
}
}
},
"aggs" : {
"avg_grade" : {
"avg" : { "field" : "netscaler.stat.system.memusagepcnt" }
}
}
}
and elsaticsearch responds with:
{
"error": {
"root_cause": [{
"type": "parsing_exception",
"reason": "[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 6,
"col": 7
}],
"type": "parsing_exception",
"reason": "[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
"line": 6,
"col": 7
},
"status": 400
}
I need know which is the best way or the correct way for do that.

If you have multiple queries you probably should wrap them inside a bool query:
{
"query": {
"bool": {
"must": [
{
"match": {
"netscaler.ipadd": "192.68.2.39"
}
},
{
"range": {
"#timestamp": {
"gte": "2015-08-04T11:00:00",
"lt": "2015-08-04T12:00:00"
}
}
}
]
}
},
"aggs": {
"avg_grade": {
"avg": {
"field": "netscaler.stat.system.memusagepcnt"
}
}
}
}
More info in the docs

elasticsearch : make a should into a filter

I would want to do search with a filter that exclude result that not match a condition OR anothor condition:
I tried to do a should into a filter but it fails:
POST /my_index/_search
{
"query": {
"bool": {
"filter": [
{
"should": [
{
"match": {
"type1_title": "searched match"
}
},
{
"match": {
"type2_title": "searched match"
}
}
]
}
]
}
}
}
it raises that error:
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "[should] query malformed, no start_object after query name",
"line": 9,
"col": 21
}
],
"type": "parsing_exception",
"reason": "[should] query malformed, no start_object after query name",
"line": 9,
"col": 21
},
"status": 400
}
Do you know if we can do an or in a filter?

Why not simply bool/should, there's no need for filter here
POST /my_index/_search
{
"query": {
"bool": {
"minimum_should_match": 1,
"should": [
{
"match": {
"type1_title": "searched match"
}
},
{
"match": {
"type2_title": "searched match"
}
}
]
}
}
}
If you really want to keep the bool/filter/should construct then you need to do it like this:
POST /my_index/_search
{
"query": {
"bool": {
"filter": [
{
"bool": {
"should": [
{
"match": {
"type1_title": "searched match"
}
},
{
"match": {
"type2_title": "searched match"
}
}
]
}
}
]
}
}
}

Resources