How can I write this search statement?

Elastic Stack Elasticsearch
1

Mapping :

{
  "information-db" : {
    "mappings" : {
      "details" : {
        "index_analyzer" : "default_index",
        "search_analyzer" : "default_search",
        "properties" : {
          "log" : {
            "type" : "nested",
            "properties" : {
              "_key_" : {
                "type" : "string"
              },
              "_type_" : {
                "type" : "string",
                "index" : "not_analyzed"
              },
              "_value_" : {
                "type" : "string",
                "fields" : {
                  "raw" : {
                    "type" : "string",
                    "index" : "not_analyzed"
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}

Data :

{"log":
	[
		{'_key_':['network', 'dns', 'ip'], '_value_':'8.8.8.8', '_type_':'unicode'}, 
		{'_key_':['network', 'udp'], '_value_':'1.2.3.4', '_type_':'unicode'}
	]
}


{"log":
	[
		{'_key_':['network', 'dns', 'ip'], '_value_':'8.8.8.8', '_type_':'unicode'}, 
		{'_key_':['network', 'udp'], '_value_':'7.8.9.0', '_type_':'unicode'}
	]
}

My search demand:
I want get logs which are both accessed dns '8.8.8.8' and ip address '1.2.3.4'.

how can I write my dsl query statement ?

2

got it:

{
    "query" : {
        "bool" : {
            "must" : [
                {
                    "nested" : {
                        "path" : "log",
                        "query" : {
                            "bool" : {
                                "must" : [
                                    {"match" : {"log._key_" : {"query" : "network dns ip", "operator" : "and"}} },
                                    {"match_phrase":{"log._value_":"8.8.8.8"}}
                                ]
                            }
                        }
                    }
                },
                {
                    "nested" : {
                        "path" : "log",
                        "query" : {
                            "bool" : {
                                "must" : [
                                    {"match":{"log._key_":{"query":"network udp","operator":"and"}}},
                                    {"match_phrase":{"log._value_":"1.2.3.4"}}
                                ]
                            }
                        }
                    }
                }
            ]
        }
    }
}
1 Like