Get only multi value in Elastic search

Elastic Stack Elasticsearch
1 
"hits": [
         {
            "_index": "logstash-ramesh-2019.08.28",
            "_type": "doc",
            "_id": "7XYH2GwBQhFmziR_i09j",
            "_score": null,
            "_source": {
               "username": "xxxxx-003",
               "dst_ip": "server",
               "@timestamp": "2019-08-28T11:41:05.284Z",
               "host": "xxxxxx-003",
               "src_hostname": "xxxxxx-003",
               "path": "C:/1148/E/ssh.txt",
               "@version": "1",
               "sport": "12",
               "engine_log_id": [
                  "7",
                  "8"
               ],
               "src_ip": "1.1.1.1",
               "engine_id": "4003",
               "date": "Nov 23 22:05:01",
               "message": "Nov 23 22:05:01 server sshd[21358]: Accepted password for xxxxx from xxx.xx.xxx.xx port 12 ssh2 Low 7 - 13464\r"
            },
            "sort": [
               1566992465284
            ]
         },
{
            "_index": "logstash-ramesh-2019.08.28",
            "_type": "doc",
            "_id": "7XYH2GwBQhFmziR_i09j",
            "_score": null,
            "_source": {
               "username": "xxxxx-003",
               "dst_ip": "server",
               "@timestamp": "2019-08-28T11:41:05.284Z",
               "host": "xxxxx-003",
               "src_hostname": "xxxxx-003",
               "path": "C:/1148/E/ssh.txt",
               "@version": "1",
               "sport": "12",
               "engine_log_id": "20",
               "src_ip": "1.1.1.1",
               "engine_id": "4003",
               "date": "Nov 23 22:05:01",
               "message": "Nov 23 22:05:01 server sshd[21358]: Accepted password for xxxxx from xxx.xx.xxx.xx port 12 ssh2 Low 7 - 13464\r"
            },
            "sort": [
               1566992465284
            ]
         }

**

engine_log_id have multiple values, but sometimes single value also. My concern needs to get only multiple values only not single. Refer above example.

**

Requesting to anyone help on this.

2

Assume field 'engine_id' is keyword data type, you can use following DSL to get only multiple-value documents.

{
        "query": {
            "bool" : {
                "filter" : {
                    "script" : {
                        "script" : {
                            "source" : "doc['engine_id'].length>1"
                        }
                    }
                }
            }
        }
    }
1 Like
3

Great, Awesome !!!!

I really appreciate.

Thanks Lot !!!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.