Chained input query - looping over hits values in query

Inammathe_Inna · December 24, 2019, 12:42am

Hello,

So I am a little stuck with this one..
Following this example: https://github.com/elastic/examples/blob/master/Alerting/Sample%20Watches/ml_examples/bucket_record_chain_watch.json

I've managed to successfully create a chained input query that uses first result in a terms query like so:

"query": {
  "bool": {
    "must": [
      {
        "range": {
          "@timestamp": {
            "gt": "{{ctx.payload.first.aggregations.record_results.top_record_hits.hits.hits.0.fields.start.0}}",
            "lt": "{{ctx.payload.first.aggregations.record_results.top_record_hits.hits.hits.0.fields.end.0}}"
          }
        }
      },
      {
        "term": {
          "request_IPAddress":"{{ctx.payload.first.aggregations.record_results.top_record_hits.hits.hits.0._source.over_field_value}}"
        }
      }
    ]
  }
}

I was wondering.. how might I go about unpacking ctx.payload.first.aggregations.record_results.top_record_hits.hits.hits so that I can find all documents with the _source.over_field_value rather than just the first result in the array in hits.0 ?

I've played around with the mustache syntax to try and get it to look like this for example: "request_IPAddress": ["49.195.126.239","1.128.107.52"]
But being json I am not sure that is possible with mustache..

Really appreciate any advice you can give

Thanks!

richcollier · December 30, 2019, 3:59pm

You can use a script transform to manipulate and re-format the payload using painless scripting. See: https://www.elastic.co/guide/en/elasticsearch/reference/7.5/transform.html

Within a chained input, one of the chains can simply be a transform. Here's an example:

Here's what the query_string resolved to after the transform (that was passed to the third input):

                          "query_string" : {
                            "query" : "(timestamp:1486656900000 AND airline:AAL) OR (timestamp:1486656000000 AND airline:AAL) OR (timestamp:1486638900000 AND airline:ACA)"
                          }

Inammathe_Inna · December 31, 2019, 7:08am

Brilliant! Thanks Rich. Really simple, I'll definitely be using this a lot for other stuff.

Cheers

system · January 28, 2020, 7:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.