How not present the duplicated data using elasticsearch _search query api

LongKang_Fan · March 23, 2023, 8:13am

Hi.

I am using Filebeat -> Logstash -> Elasticsearch to save my logfiles. I have saved a field called casename to the index pattern like caselog-{YYYY.MM.dd} and I want to query all the case names in that index but just show the same casename in the result only once. What should I do?

GET /caselog-2023.03.23/_search
{
  "query": {
    "bool": {
      "must": [
        {"match": { "input.type": "filestream" }},
        {"match": {"host.ip": "172.22.0.2"}}
      ]
    }
  },
  "_source": ["casename"]
}

How do I improve my query to show the d.log only once?

{
  "took": 703,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 548,
      "relation": "eq"
    },
    "max_score": 0.0018223235,
    "hits": [
      {
        "_index": "caselog-2023.03.23",
        "_id": "LOlnDYcBdTWF_DUiXPsD",
        "_score": 0.0018223235,
        "_source": {
          "casename": "d.log"
        }
      },
      {
        "_index": "caselog-2023.03.23",
        "_id": "JulnDYcBdTWF_DUiXPsC",
        "_score": 0.0018223235,
        "_source": {
          "casename": "Identify_IdfyCtrlValueVerify.py_2023-02-01_02-38-29.log"
        }
      },
      {
        "_index": "caselog-2023.03.23",
        "_id": "J-lnDYcBdTWF_DUiXPsC",
        "_score": 0.0018223235,
        "_source": {
          "casename": "d.log"
        }
      },
.......
.......
.......

LongKang_Fan · March 27, 2023, 3:01am

Anyone can help?

system · April 24, 2023, 3:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.