i have logs like:
{
"a":"XXX",
"b":"YYY",
"token":"acquired"
}
Also, i have logs that do not have this token key set. Kibana's terms panel tells that they are around by showing them as Missing fields(3047). How can i query all docs that do not have the token key set?
You can query in ES for missing fields:
From: http://www.elasticsearch.org/guide/en/elasticsearch/guide/current/_dealing_with_null_values.html
GET /my_index/posts/_search
{
"query" : {
"filtered" : {
"filter": {
"missing" : { "field" : "token" }
}
}
}
}
Related
Here is the mapping. I have a property named #timestamp.
{
"my_index" : {
"mappings" : {
"properties" : {
"#timestamp" : {
"type" : "date_nanos"
}
}
}
}
}
But when I query like this:
{
"sort" : {
"#timestamp" : "desc"
}
}
I got an error: No mapping found for [#timestamp] in order to sort on.
I found some solution using unmapping_type, but I have definition in the property. Could someone help explain this case? I just started to use elasticsearch. Thanks.
You need to query on your specific index
GET my_index/_search
And not
GET /_search
Because otherwise you'll hit all indexes in your cluster and the odds are high that one of them doesn't have a #timestamp field.
Say I have a filter in query like this:
{
"query" : {
"filtered" : {
"filter" : {
"term" : {
"price" : 20
}
}
}
}
}
According to the official doc, there will be a filter cache associated to the key "price".
One day, I change the query as follow:
{
"query" : {
"filtered" : {
"filter" : {
"term" : {
"price" : 20,
"_cache" : false
}
}
}
}
}
Will Elasticsearch automatically remove the exist cache?
Not really sure. It will probably be removed eventually but probably not immediately. It doesn't really matter however as setting _cache = false will tell elastic search to not use the cache even if it is technically still there. If you want to clear the cache manually there's an API for it.
Here is an example:curl -XPOST 'http://localhost:9200/twitter/_cache/clear
https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-clearcache.html
For my project, I thought of using Span Near Queries of ElasticSearch, with the constraint that is, certain tokens may have to searched with Fuzziness. I was able to generate a set of SpanQuery (org.apache.lucene.search.spans.SpanQuery) objects some with fuzzy enabled, some without. I couldn't figure out how to use these set of SpanQueries in ElasticSearch spanNearQuery.
Can someone help me out with right pointers to samples or docs. And is there any way to construct ES SpanNearQueryBuilder with some clauses fuzzy enabled ?
You can wrap an fuzzy query into a span query with Span Multi Term Query:
{
"span_near" : {
"clauses" : [
{ "span_term" : { "field" : "value1" } },
{ "span_multi" :
"match" : {
"prefix" : { "user" : { "field" : "value2" } }
}
}
],
...
}
}
I'm adding a field to a doc like this:
curl -XPOST 'http://localhost:9200/imap_email/imap_bruce/12/_update' -d '{
"script" : "ctx._source.simperium = \"12345\""
}'
Looking at that doc, I can verify that it has added the field "simperium". The following query (and the many variations of it I've tried) simply return everything in my index.
{
"constant_score" : {
"filter" : {
"exists" : { "field" : "simperium" }
}
}
}
What do I need to do to get a strict list of all docs that do or don't have a specific field?
The majority of Elasitcsearch examples exclude the outer "query" : {} object for brevity. It's very annoying when starting out, but eventually you learn to accept it.
You most likely wanted this:
{
"query" : {
"constant_score" : {
"filter" : {
"exists" : { "field" : "simperium" }
}
}
}
}
I want to create an alias on top of this. Index - test, Type - type
POST /test/type/_search
{
"query": {
"match": {
"brand_name": "xyz"
}
}
}
But I don't see anyway of doing it,since Elasticsearch aliases can only be created on filters and when I try with term filter,I don't get the results which I want.Any trick to achieve this ?
You can use a query filter to use any query as a filter:
"filter" : {
"query" : {
"match" : {
"brand_name" : "xyz"
}
}
}