Confused about querying using the search api

iamthealex · May 5, 2016, 11:37pm

I added a single entry to a newly created test index for my local VM's ES instance.
I can retrieve that single entry using the search api where I ask for everything in the index/type --
curl -XGET 'http://localhost:9200/access-log-lines/v1/_search' | json_reformat
Here is the beginning of the output of the single entry in the index:

{
"took": 4,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 1,
"max_score": 1.0,
"hits": [
{
"_index": "access-log-lines",
"_type": "v1",
"_id": "1462349702+1816527446-large.pod1.tor.cdx-stag.example.com",
"_score": 1.0,
"_source": {
"@timestamp": "2016-05-04T08:15:02.840Z",
"udn-env": "cdx-local",
"udn-server": "alex.example.comt",
......

I expected to get a hit when I search for this (sole) entry using this curl:
(note from the above output my "_source" has the field named "udn-env" with value "cdx-local".
curl -XGET http://localhost:9200/access-log-lines/_search -d '{ "query" : {"term" : { "udn-env" : "cdx-local" } } } '
However, I get no hits using that query.

Why don't I get a hit with that search? I followed the example in this page
https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-body.html
I didn't expect the data to be in source. Why is what was top-level data in LogStash added to source by ES? I generated this entry using logstash and I expected "udn-env" to be at the top-level (as it was in the json I sent to ES) just like "index", "type" and "id". For my purposes, I don't want ES to analyze (I do any analysis I need on the LogStash side). So I plan to use a mapping template to avoid ES server side analysis eventually.

Thanks.

warkolm · May 5, 2016, 11:50pm

Maybe ES broke it apart during analysis? What does the actual field show id you get the doc by ID?

iamthealex · May 6, 2016, 12:30am

warkolm: broke what apart during analysis? The top-level json?
I am guessing you want the output from:
http://localhost:9200/access-log-lines/v1/1462349702+1816527446-large.pod1.tor.cdx-stag.example.com?
Here it is:
{

"_index": "access-log-lines",
"_type": "v1",
"_id": "1462349702 1816527446-large.pod1.tor.cdx-stag.example.com",
"found": false

}

Maybe the fact that I asked with a "+" in the url, but the return is missing the "+" is relevant?
Note that I'm sure ES has the data since it comes back via the search api (see my original post).
I'm most likely missing the correct way to enter my filter terms ?

warkolm · May 6, 2016, 2:21am

_source contains the original data, you want to look at what happened after analysis.

Unless you have set udn-server to be not analysed, then chances are it'll come out as cdx and local, because it'd whitespace the -.

iamthealex · May 6, 2016, 2:21pm

I've chopped down my problem and submitted a better question here: Disappearing data.

Topic		Replies	Views
Search hits used as filter Elasticsearch	4	523	March 14, 2018
Some help understanding results Elasticsearch	7	339	July 6, 2017
How to get the unique results from ES query Elasticsearch	1	484	February 9, 2017
Confused result sets: total hit is equal to 1 but but "hits" is an empty JSON list Elasticsearch	2	320	July 6, 2017
A query I believe should work, doesn't seem to Elasticsearch	7	457	July 6, 2017

Confused about querying using the search api

Related topics