Get last 10 documents with named field

Hi,

Would appreciate some assistance.

I need a way to return the last 10 or so documents which contain data in a specified field.
See sample documents below:

The field I need to retrieve the values from is the "captured_data" field in the second document.
Not all my documents will have that field, only some will... I need a way to return, say, the last 10 documents which actually have that field.

Many thanks!

{
"_index": "user_data-2017.03.03",
"_type": "logs",
"_id": "AVqVJw5rXDJ0YRPIx7dN",
"_score": 1,
"_source": {
		"message": "action = standard\t[MsgId: MMSG-17999]\r",
    "@version": "1",
    "@timestamp": "2017-03-03T17:10:40.714Z",
    "host": "redpart-667a",
    "path": "04_253.log",
    "handler": "unknown",
    "run": "442",
    "endpoint": "unknown",
    "id": "253",
    "directive": 0,
    "run_type": "not_assigned",
    "last_code": "11751",
    "iteration": "0",
    "site": "fall"
	}
},
{
"_index": "user_data-2017.03.03",
"_type": "logs",
"_id": "AVqVJw5rXDJ0YRPIx7dN",
"_score": 1,
"_source": {
		"message": "action = standard\t[MsgId: MMSG-17999]\r",
    "@version": "1",
    "@timestamp": "2017-03-03T17:10:40.714Z",
    "host": "redpart-667a",
    "path": "04_253.log",
    "handler": "unknown",
    "run": "442",
    "endpoint": "unknown",
    "id": "253",
    "directive": 0,
	"captured_data": "1786tg7812b2",
    "run_type": "not_assigned",
    "last_code": "11751",
    "iteration": "0",
    "site": "fall"
	}
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.