Get data from Kibana using Elasticsearch API

Hi,

I'm trying to retrieve data from one Kibana view using the API request.

The request from the view:
image

The response with the expected result:
image

And then I tried to paste the request to Kibana > Dev Tools > Console, as I saw in this topic, but the response it's totally different:
image

How can I do to retrieve this info using Kibana dev tools and Rest API?

Thanks,

Most of the requests Kibana does to get data from Elasticsearch are searches against an index. So if I copy the request from Kibana Discover, and paste that into the Kibana dev tools console, I need to add GET /your-index-name-here/_search before the body.

For example;

GET /gatling-data/_search
{
  "version": true,
  "size": 500,
  "sort": [
    {
      "timestamp": {
        "order": "desc",
        "unmapped_type": "boolean"
      }
    }
  ],
  "aggs": {
    "2": {
      "date_histogram": {
        "field": "timestamp",
        "fixed_interval": "5s",
        "time_zone": "America/Chicago",
        "min_doc_count": 1
      }
    }
  },
...
1 Like

Thanks for your help LeeDR. I'm using the index:

get /default-2018.02/_search

{
  "query": {
    "bool": {
      "must": [
        {
          "query_string": {
            "query": "*",
            "analyze_wildcard": true
          }
        },
        {
          "match_phrase": {
            "message": {
              "query": "transaction_success"
            }
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": 1612134000000,
              "lte": 1614553199999,
              "format": "epoch_millis"
            }
          }
        }
      ],
      "must_not": []
    }
  },
  "size": 0,
  "_source": {
    "excludes": []
  },
  "aggs": {}
}

But if I use
image
or
image
the returning hits are always the same.

I feel that the query it's not working and I'm retrieving all the values. Response:

{
  "took": 0,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "failed": 0
  },
  "hits": {
    "total": 195451,
    "max_score": 1,
    "hits": [
      {
        "_index": "default-2018.02",
        "_type": "logEvent",
        "_id": "************_",
        "_score": 1,
        "_source": {
          "@timestamp": "2021-01-01T00:30:12.5268305Z",
          "level": "Info",
          "message": "New mail messages in folder Input for : 0. process is already running: False",
          "levelOrdinal": 2,
          "timeStamp": "2021-01-01T00:30:12.5268305Z",
          "Source": "Robot",
          "organizationUnitId": 1,
          "logType": "User",
...

Thanks.

I can't really tell what the name of the field is that contains transaction_success. If you go to the index pattern in Kibana and look at the fields, can you tell me what you see for that field. Do you see that field listed twice, once with .keyword appended to the end?

I think your issue is that the field containing transaction_success is analyzed which splits it into transaction and success. But I would have thought the match_phrase you're doing would have then correctly matched on transaction success.
But if you could use the .keyword field that wouldn't be analyzed.

Today I solve it with a help of someone more knowledge about it. He change the query and now I can retrieve the data needed.

post index/_search
{
  "query": {
    "match": {
          "message": {
            "query": "transaction_error",
            "type": "phrase"
          }
        }
  }
}

I was expecting to copy the request directly from the view, like I saw in the topic that I mentioned before, but it doesn't work.

Next step it's to retrieve the data using the API.

Many thanks for your help.

Match_phrase will use the default analyzer to split the query in terms, so in your case it will split it in transaction and success respectively transaction and error so it wouldn't find a different number of results due to transaction being the highest number. I would suggest using match for a term like that.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.