Attempting to match or filter but still always return all values

Elastic Stack Elasticsearch
1

Can anyone share a working example of how to match or filter a field based on existing data? I have attempted the following query but it still returns all values. Also whats the difference between match and filter? Thanks

index                                                                             shard prirep state      node                                                                    
partial-.ds-logs-network.netflow-default-2025.11.27-002008                        0     p      STARTED    instance-0000000019                                                              
partial-.ds-logs-network.netflow-default-2025.11.27-002008                        1     p      STARTED    instance-0000000049                                                              
partial-.ds-logs-network.netflow-default-2025.11.27-002008                        2     p      STARTED    instance-0000000052                                                              
partial-.ds-logs-network.netflow-default-2025.11.27-002008                        3     p      STARTED    instance-0000000039                                                              
partial-.ds-logs-network.lb-default-2025.12.04-000874                             0     p      STARTED    instance-0000000049                                                              
partial-.ds-logs-network.fw-fortigate-2025.09.26-001661                           0     p      STARTED    instance-0000000040                                                              




//TEST_QUERY_1
GET _cat/shards?v=true&h=index,shard,prirep,state,node,unassigned.reason&s=state&format=json/_search
{
  "query": {
    "match": {
      "query": "1",
      "fields":["shard"]
      }
    }
  }
}

//TEST_QUERY_2
GET _cat/shards?v=true&h=index,shard,prirep,state,node,unassigned.reason&s=state&format=json/_search
{
  "query": {
    "match": {
      "shard": {
        "gt": "1"
      }
    }
  }
}


//TEST_QUERY_3
GET _cat/shards?v=true&h=index,shard,prirep,state,node,unassigned.reason&s=state&format=json/_search
{
  "query": {
    "bool": {
      "must": {
        "match": {
          "shard": "0"
        }
      }
    }
  }
}
2

A GET on _cat/shards doesn’t support Query DSL, so your query body is being silently ignored. See the docs on that API here.

1 Like
3

Got it. Thanks
cat APIs are only intended for human consumption using the command line or Kibana console. They are not intended for use by applications.

4

@Whoami1980 - You are 20 threads in over period of approx 1 month. Trying to learn Elasticsearch via a Q&A marathon seems sub-optimal to me. It will end with fragmented knowledge rather than a coherent understanding of the core concepts. IMHO a bit of structured study would likely be far more effective.

I speak half-decent German. Initially I "learned" via asking people or looking up the German word for cheese, horse, running, etc. This did not get me very far - learning German word by word, without grammar, is the wurst way to learn. :grinning_face:

A structured language courses really helped. Of course that required a time investment, but for me, it helped way more to try to learn some grammar, sentence structure, word order, verb conjugation while also building vocab..

2 Likes
5

@RainTown

Correct me if i am wrong. I doubt there is any free course to start with.

Also a course may not be suitable for everyone juat like kids that attend mainstream school. If u get what i mean.

Also whatsup with the number of post? Since there is no kpi but why are u attracted by the number of post

6

Screenshot 2026-04-01 at 14.45.21
Screenshot 2026-04-01 at 14.45.211184×746 120 KB

7

@RainTown
Sorry. I been trying to figure out where to access the page u referring to. Btw kindly stop monitor my number of threads eventually it will die down. U can let me know if I dont follow or break any rules probably unintentionally.

If number intrest u You should be focusing on Elastic share price. Hopefully my number of threads is an inverse relationshio to Elastic share price.

8

From main page

Screenshot 2026-04-02 at 10.20.53
Screenshot 2026-04-02 at 10.20.531553×909 189 KB

I registered with a Gmail account. The free courses do come and go a bit - list I shared was what I saw was available yesterday.

My concern, for you, is that you/your team have apparently inherited some responsibility for a quite significant, production cluster? 37 elastic nodes, 45 logstash nodes, 3 trillion documents? It's not clear if this is using an enterprise (paid for) license, what the history / use case is, etc. I don't need to know anyways. But should something actually go bad there, and I truly hope it does not, then without at the very least a decent knowledge of the basics you will be in real trouble.

For the avoidance of doubt, I don't personally care if you open 20 or 200 or 2000 threads, nor do I care about the Elastic share price. If you ask/post something where I think I can help, I might answer. Or might not.

Good luck with the cluster(s). I do recommend the free trainings.

1 Like
9

@RainTown

Thanks. Have a GOOD FRIDAY!!!