Elasticsearch query not returning the exact value

Elastic Stack Elasticsearch
1

Unable to get the values from my JSON data.

my Data :

{"web1":{"Uptime":1295843,"thr":408685,"nx01_01":{"Uptime":157635,"Name":"nx01_01","Bytes":14416383831,"TotalConnections":2},"timestamp": "2016-06-28 09:15:24","Srv":"web1","nx02_01":{"Uptime":423606,"Name":"nx02_01","Bytes":0,"TotalConnections":3},"nx04_01":{"Uptime":496782,"Name":"nx04_01","Bytes":0,"TotalConnections":2},"nx03_01":{"Uptime":496782,"Name":"nx03_01","Bytes":0,"TotalConnections":3}}}

My Elasticsearch Query:

curl -XGET http://localhost:9200/8m1ea8-2016.06.28/_search?pretty? -d '{"size":0,"query":{"filtered":{"query":{"query_string":{"analyze_wildcard":true,"query":"*"}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"gte":"1467112598780","lte":"1467112680435"}}}]}}}},"aggs":{"1":{"terms":{"field":"Name","size":0,"order":{"_term":"asc"}}}}}'

But above query only return single value [ nx04_01 ] instead of showing 4 values . Can you please confirm the above query is correct one.

Output of above query :
"took":1,"timed_out":false,"_shards":{"total":5,"successful":5,"failed":0},"hits":{"total":1,"max_score":0.0,"hits":[]},"aggregations":{"1":{"doc_count_error_upper_bound":0,"sum_other_doc_count":0,"buckets":[{"key":"nx04_01","doc_count":1}]}}}

Expected values: nx01_01,nx02_01,nx03_01,nx04_01.

2

Even I tried with some patterns by removing time range and search whole data. But still it shows same value [ only showing single value ]. Any suggestions ?. Thanks in Advance.

this is my actual data:

{
    "web1": {
        "Uptime": 1295843,
        "thr": 408685,
        "nx01_01": {
            "Uptime": 157635,
            "Name": "nx01_01",
            "Bytes": 14416383831,
            "TotalConnections": 2
        },
        "timestamp": "2016-06-28 09:15:24",
        "Srv": "web1",
        "nx02_01": {
            "Uptime": 423606,
            "Name": "nx02_01",
            "Bytes": 0,
            "TotalConnections": 3
        },
        "nx04_01": {
            "Uptime": 496782,
            "Name": "nx04_01",
            "Bytes": 0,
            "TotalConnections": 2
        },
        "nx03_01": {
            "Uptime": 496782,
            "Name": "nx03_01",
            "Bytes": 0,
            "TotalConnections": 3
        }
    }
}

I just want to retrieve only the value of "Name" field.

3

Any idea on this ? . Still I'm unable find a solution for this. Please someone give share your suggestions.

4

Hey,

it might be possible that you are using an older version of Elasticsearch, that tried to look up field names in some automagic way. Thus when you specify Name, then web1.nx04_01.Name was used. In current versions this does not work anymore, you always need to specify the full path.

I think in your example it makes more sense to index those four parts of this document as four single documents, because then you are able to use a name field, that can be addressed uniquely - which it cannot in your current dataset.

--Alex

5

Yes, I'm using ELS - 1.7.5 version. Right now, I have no plan for migrating my ELS to latest version 2.x since I wasn't hit with any issues on my current ELS version.

Is there any work around solution to get the values ?. Pls share

6

Hey,

you need to change your data model (or even split your single document into several documents, or use nested), if you want to aggregate by the name. The definitive guide has some nice chapters about data modeling (which also contains a chapter about nested document). Take your time and read the whole book if you can :slight_smile:

--Alex

7

thanks for your suggestion. let me check the link.