Elasticsearch input plugin size

JFO_90 · August 1, 2021, 7:23pm

Hi,

I have a logstash configuration from which I'm trying to extract elasticsearch information with the elasticsearch input plugin. The problem that i have is that despite indicating a size, it always returns all the documents from the index has instead of the amount indicated in the index.

input {
elasticsearch {
hosts => ["localhost:9200"]
index => "myindex"
query => '{ "query": {"match_all": {}} }'
size => 100
docinfo => true
}
}

In the configuration you can see how I indicate a size of 100 but ignore this value and return all the documents of the index.

Can someone help me with this problem?

Best regards

Badger · August 1, 2021, 7:57pm

I think the size option only takes effect if scroll is enabled. In which case the input will repeatedly make calls to the search API until all of the documents that match the query are returned.

If you want to limit the number of documents returned by the query you need to tell elasticsearch that. I think that would be

query => '{ "query": {"match_all": {}}, "size": 100 }'

JFO_90 · August 1, 2021, 8:29pm

I have tried with the scroll field and with the size in the query and it keeps returning all the docs.

input {
elasticsearch {
hosts => "localhost:9200"
index => "myindex"
query => '{ "query": {"match_all": {}}, "size": 100 }'
docinfo => true
}
}

input {
elasticsearch {
hosts => ["localhost:9200"]
index => "myindex"
query => '{ "query": {"match_all": {}} }'
size => 100
scroll => "5m"
docinfo => true
}
}

Both return all the docs of the index.

Badger · August 1, 2021, 9:59pm

The second one is expected to return all documents. The input will loop fetching 100 documents at a time until it has gotten them all.

I think I had size in the wrong place. Try

query => '{ "query": {"match_all": {}, "size": 100}}'

JFO_90 · August 1, 2021, 10:43pm

Y tried
elasticsearch {
hosts => "localhost:9200"
index => "myindex"
query => '{ "query": {"match_all": {}, "size": 100}}'
docinfo => true
}

And the result was

E Error: [400] {"error":{"root_cause":[{"type":"parsing_exception","reason":"[match_all] malformed query, expected [END_OBJECT] but found [FIELD_NAME]","line":1,"col":26}],"type":"parsing_exception","reason":"[match_all] malformed query, expected [END_OBJECT] but found [FIELD_NAME]","line":1,"col":26},"status":400}

Badger · August 1, 2021, 11:09pm

Looking at an example from the input documentation

query => '{ "query": { "match": { "statuscode": 200 } }, "sort": [ "_doc" ] }'

"sort" is at the same level as "query" so I had it right the first time. I don't know DSL well enough to know if size can be used in the same way. I guess not.

JFO_90 · August 1, 2021, 11:23pm

I was trying with different queries like this

query => '{
"query": {
"bool": {
"filter": [
{
"terms": {
"enviroment": [
"pre"
]
}
}
]
}
},
"size": 100
}'

This DSL query return results, but not 100 as i said on the size, this query return more than 100 results.
It seems that the size field does not work as indicated in the beginning of the topic

JFO_90 · August 3, 2021, 11:15am

Has anyone encountered this problem or knows how to solve it?

Best regards

system · August 31, 2021, 11:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Limiting results to 100 problem Elasticsearch	2	321	July 6, 2017
Size limit in a query? Kibana	7	1466	November 21, 2019
Getting no results with match_all Query Elasticsearch	8	3338	July 6, 2017
Max suggested index sizes / document amount etc Elasticsearch	3	1014	December 22, 2023
Incorrect Doc Count vs index total returns in ES Elasticsearch	5	2706	April 2, 2020

Elasticsearch input plugin size

Related Topics