Elasticsearch search query quide

Satya10 · May 28, 2022, 9:53am

Currently, I'm working on ELK 8 (Filebeat, Logstash, Elasticsearch & Kibana) stuck in the middle

The sample log is here,

2021-07-30 16:34:22 INFO  com.example.OrderRest [fhxh750df392] Session opened OId 31324
2021-07-30 16:34:22 INFO  com.example.OrderRest [fhxh750df392] Transaction started TId T312487
........
2021-07-30 16:34:22 INFO  com.example.OrderRest [tegq842sh980] Session opened OId 31325
2021-07-30 16:34:22 INFO  com.example.OrderRest [tegq842sh980] Transaction started TId T312488
........
2021-07-30 16:34:22 INFO  com.example.OrderRest [fhxh750df392] Session closed
2021-07-30 16:34:22 INFO  com.example.OrderRest [tegq842sh980] Session closed

Issue: If I query with OId 31324 , getting only matching document as below

GET _search
{
  "query":{
    "match": {"OId": "31324"}
  }
}

result:

2021-07-30 16:34:22 INFO  com.example.OrderRest [fhxh750df392] Session opened OId 31324

Instead, the result should also include transaction generated all next matching records with request id fhxh750df392 like

2021-07-30 16:34:22 INFO  com.example.OrderRest [fhxh750df392] Session opened OId 31324
2021-07-30 16:34:22 INFO  com.example.OrderRest [fhxh750df392] Transaction started TId T312487
........
2021-07-30 16:34:22 INFO  com.example.OrderRest [fhxh750df392] Session closed

Like, if I query with TId T312487 , result should be

2021-07-30 16:34:22 INFO  com.example.OrderRest [fhxh750df392] Transaction started TId T312487
........
2021-07-30 16:34:22 INFO  com.example.OrderRest [fhxh750df392] Session closed

I'm new to ELK can anyone guide me how to do

system · June 25, 2022, 9:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.