Hi,
My Doc in Index. I want to query fields in the source.
{
"_index" : "hi-2022.01.04",
"_type" : "_doc",
"_id" : "-e2AIn4BnkeJqJCuSq9B",
"_version" : 16,
"_seq_no" : 264786,
"_primary_term" : 2,
"found" : true,
"_source" : {
"hostname" : "thehive",
"ai" : {
"rule_uid" : "ai26",
"anomaly_flag" : 0,
"anomaly_score" : 0.06
}
}
}
My Query-
GET hi-2022.01.04/_search
{
"size": 2000,
"sort": [
{
"@timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"_source": {
"excludes": []
},
"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"calendar_interval": "1d",
"time_zone": "Asia/Calcutta",
"min_doc_count": 1
}
}
},
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
}
],
"query": {
"bool": {
"must": [
{
"match_phrase": {
"hostname": {
"query": "thehive"
}
}
},
{
"match_phrase": {
"ai.rule_uid": {
"query": "ai26"
}
}
},
{
"match_phrase": {
"ai.anomaly_flag": {
"query": 0
}
}
},
{
"range": {
"@timestamp": {
"gte": "now-5M",
"lte": "now"
}
}
}
],
"filter": [
{
"match_all": {}
}
],
"should": [],
"must_not": []
}
}
}
Response-
{"took":1,"timed_out":false,"_shards":{"total":2,"successful":2,"skipped":0,"failed":0},"hits":{"total":{"value":0,"relation":"eq"},"max_score":null,"hits":[]},"aggregations":{"2":{"buckets":[]}}}
If I checked without field "hostname" in above dsl query, its working,but with "hostname" field it's not working ,may be it's not nested.
I tried changing it by various ways, its not working.
Thank You