Call Elastic API to get an info on a parameter

Hello,

I would like to use the Elastic Search API in order to get information on a parameter I have in one of my index.

In concrete terms, I would like to know if there have been any hits for a particular client . ( parameter called "data.client") in the last 5 minutes calling the API.

I've made it this far:

    GET app-sms-smpp-serversmpp-prd-7.4.2-2020.11.09/_msearch
    {}
    {  "query": { "match_phrase": { "smpp.serversmpp.data.client": "KDEV" } }}
    {}
    {  "query": {
        "range": {
          "timestamp": {
            "time_zone": "+01:00",        
            "gte": "now-5m/m", 
            "lte": "now"                  
          }
        }
      }
    }

But looks like the multi search is not working, I have an error like :

 "error": {
        "root_cause": [
          {
            "type": "json_e_o_f_exception",
            "reason": "Unexpected end-of-input: expected close marker for Object (start marker at [Source: org.elasticsearch.transport.netty4.ByteBufStreamInput@5d626c59; line: 1, column: 13])\n at [Source: org.elasticsearch.transport.netty4.ByteBufStreamInput@5d626c59; line: 1, column: 27]"

Thank you very much in advance for your help.

Best regards,

Baptiste

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

This is the icon to use if you are not using markdown format:

image764×92 16.4 KB

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Please update your post.

You should try a simple _search using a bool query with a must array which contains a term query and a range query.

If you don't know how to do it, please share a minimal reproduction script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.

A full reproduction script is something anyone can copy and paste in Kibana dev console, click on the run button to reproduce your use case. It will help readers to understand, reproduce and if needed fix your problem. It will also most likely help to get a faster answer.

Hello @dadoonet

Thank you very much for your answer. Sorry for the bad formatting of my code. I corrected it.

@dadoonet, please see the full reproduction script I wrote after following your advice:

GET /app-sms-smpp-serversmpp-prd-7.4.2-2020.11.09/_search
{
  "query": {
    "bool": {
      "must": [
      {
        "term": {
          "smpp.serversmpp.data.client": {
          "value": "KDEV"
          }
        }
      },
      {
        "range": {
          "timestamp": {
            "time_zone": "+01:00",        
            "gte": "now-5m/m", 
            "lte": "now"
          }
        }
      }
      ]
    } 
  }

It's seems to work, but I don't get any hits in response :

  "hits" : {
    "total" : {
      "value" : 0,

whereas when I check on the discover panel I can clearly see that there are some hits for this client in the last 5 minutes.

Do you know where this problem could come from?

Thanks very much in advance.

It depends on your mapping.

May be try with kdev instead of KDEV.

But that might not work for all your customers. In which case you should change the mapping and use a keyword datatype.

I've tried kdev , not working. I've checked the mapping, and a keyword datatype is already used for the data.client :

"data" : {
                  "properties" : {
                    "client" : {
                      "type" : "keyword",
                      "ignore_above" : 1024

Can this be related to the fact that we use in our company the free basic version of Elastic Stack ?

Absolutely not.

The only way to debug this is by reproducing your error. So please provide a script as I mentioned earlier.
A script is something we can copy/paste in Kibana dev console and reproduce the problem.

In the meantime, you can try few things to check where the error is coming from.
Run:

GET /app-sms-smpp-serversmpp-prd-7.4.2-2020.11.09/_search
{
  "query": {
    "bool": {
      "must": [
      {
        "term": {
          "smpp.serversmpp.data.client": {
          "value": "KDEV"
          }
        }
        }
      }
      ]
    } 
  }

And

GET /app-sms-smpp-serversmpp-prd-7.4.2-2020.11.09/_search
{
  "query": {
    "bool": {
      "must": [
      {
        "range": {
          "timestamp": {
            "time_zone": "+01:00",        
            "gte": "now-5m/m", 
            "lte": "now"
          }
        }
      }
      ]
    } 
  }

And share the output for all.

Also may be remove the time_zone part. It might not have the effect you think.

Thanks very much for your help, I've found the problem, this part :

was the origin of the problem only because an @ was missing in @timestamp.

It's working now but there now another problem :
When I run my script at 15:31 for example, I'm only getting hits that have a @timestamp during the 15:26 minute, (31-5 = 26) but I don't get any hits between 15:26 and 15:31. It should be related to

          "timestamp": {      
            "gte": "now-5m/m", 
            "lte": "now"

but I don't know what is not correct with this. I'll check again the documentation about date range but if you have any idea of what could be the problem I would be glad to hear it.

Thank you

Again:

The only way to debug this is by reproducing your error. So please provide a script as I mentioned earlier.
A script is something we can copy/paste in Kibana dev console and reproduce the problem.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.