Elasticsearch query with different fields

Guillaume_RENARD · May 5, 2020, 1:49pm

Hi here an exemple of my documents

{
    "@timestamp": "2020-04-24T19:36:52.484Z",
    "token": "123",
    "application": "sso_api_v3",
    "ssoapiv3_method": "GET",
    "ssoapiv3_error_description": "Your access token has expired",
    "code": 401,
    "message": "\"message\"",
    "level": 6,
    "facility": "sso_api_v3",
    "type": "gelf"
}
[...]
{
    "@timestamp": "2020-04-24T19:37:52.484Z",
    "token": "123",
    "application": "sso_api_v3",
    "ssoapiv3_method": "GET",
    "ssoapiv3_error_description": "Your access token has expired",
    "code": 200,
    "message": "\"message\"",
    "level": 6,
    "facility": "sso_api_v3",
    "type": "gelf"
}
[...]

I have a huge amount of request and I would like to do a search in order to get documents with the same token but but with code 200,401, and then 200 again. I can get all 200, all 401 but I'm unable to get token with 200, then 401, then 200.

Any help would be much appreciated !

psramkumar · May 5, 2020, 2:28pm

not getting your problem, can you elaborate bit more.

Guillaume_RENARD · May 5, 2020, 3:18pm

Hi @psramkumar,
Thanks for your interest. The context : we use a sso application using a token. When evetyhing's OK we only have 200, but sometimes we get 401 (unauthorized) and then 200 again and that's strange, so I want to get the token for which we have this behaviour.
So I would like a way to get token with 200, then 401, then 200 again

Thanks

psramkumar · May 5, 2020, 3:21pm

so in that case return all and sort by the timestamp field, you will get what you looking for

Guillaume_RENARD · May 5, 2020, 3:24pm

Problem is I only want token with this scenario, I have to many documents to use my eyes to check and I'm not able to do a relevant query, not an expert yet of elasticsearch.
I have ten of thousands different token, each with hundreds of query

psramkumar · May 5, 2020, 3:30pm

then in that case use Aggregation on Token field u will get the unique values also add size = 0, that way u can avoid the source.

pjanzen · May 5, 2020, 3:46pm

As far as I know there is now way to accomplish that use case.. You can of course query for tokens that have 200 AND 401 responses. If all is sequential then is assumes that use case but assumptions are the mother of all F*** Up's so you need to come up with to verify that..

Christian_Dahlqvist · May 5, 2020, 3:53pm

Looking for sequences of events typically requires a special entity-centric index in addition to the one you have got and can not be done by querying raw data.

system · June 2, 2020, 3:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.