The poor documentation of Elasticsearch continues to hamper expanding my usage, and even poorer vagueness in the PHP API documentation.
This seems like a simple example. Search for field (it is a tag field, it can have multiple values ) in this cases 'event_source' (*) over a date range, say last 24 hours. Something simple, that is like the basic operation of Kibana's discover area.
Here is exactly what I want to do :
Which also says, my fields are there, data is there, index, etc, ... this seems to be purely some sort of undocumented abstraction issue with the PHP API.
As far as I can see, this is the way to do so ... and it returns nothing:
$json='{
"query": {
"range" : {
"date" : {
"gte" : "now-24h",
"lt" : "now"
}
}
}
}
';
$search_params = [
'scroll' => '1m', // period to retain the search context
'index' => 'filebeat-*', // here the index name
'size' => 10, // 100 results per page
'body' => json_decode($json,false),
];
$url = $opt['es'];
$client = Elastic\Elasticsearch\ClientBuilder::create()
->setHosts($url)
->setBasicAuthentication('elastic', 'xxxx')
->setCABundle('le-ca.pem')
->build();
$pages = new SearchResponseIterator($client, $search_params);
$hits = new SearchHitIterator($pages);
foreach($hits as $hit) {
echo $hit['_id'] . " " . $hit['_source']['@timestamp'] . " " . $hit['_source']['message'], PHP_EOL;
}
Any other kind of query ... changing query with ranges or match ... (this is only having the date range) as to just match on a single single field ... will either return nothing, or a syntax error:
... "parsing_exception","reason":"[match] malformed query, expected [END_OBJECT] but found [FIELD_NAME]", ...
Yes, changing the query to, as the example says ....
'body' => [
'query' => [
'match_all' => new StdClass // {} in JSON
]
]
Does in fact work ... but of course, this is returning ... everything?
I have exhausted all the examples, in both the PHP and raw API documentation, reached the end of google, and searches here in the forum turned up just about nothing.
Have the latest ...
- elasticsearch/elasticsearch v8.8.2
- php 8.2.x