How to explicitly match a query in ES

dmccuk · July 30, 2015, 8:07am

Hi,

I'm trying to query ES for a server name and It works great. But, when i put in a dummy server name that i know doesn't exist (to prove my query really is working by not finding anything) it still brings back results that match part of my string.

What I'm trying to achieve is to know when a server isn't isn't logging to ES with a once a day check of that days index.

Working example (server names changed):

curl -XGET "http://localhost:9200/logstash-index/_search" -d'
{
"query": {
"bool" : {
"must": {
"match": {
"syslog_hostname": "uk-server-name-1"
}
}
}
}
}' | python -m json.tool

Returns output only for the server.

Not working example:

curl -XGET "http://localhost:9200/logstash-index/_search" -d'
{
"query": {
"bool" : {
"must": {
"match": {
"syslog_hostname": "not-a-real-1"
}
}
}
}
}' | python -m json.tool

This query returns everything matching "-1" part. Can anyone help me to make this an explicit search?

Thanks

Dennis

dmccuk · August 3, 2015, 2:24pm

I found this was the best way to get an exact match. I hope this helps someone else.

http://localhost:9200/$LOGDATE/_search?size=1000&q=message:string

breaking it down:

http://localhost:9200/$LOGDATE - Your index name. you will know what yours is.
_search?size=1000 - You're doing a search and limiting it to 1000 responses (i think). You can change this number as required. I can't remember what the default is but it's not many.
q=message:string - This is the query (without having to do { "query": { "match_phrase": { "message" : "string" } } }. saves some keystrokes. "message" is any type you're parsing via logstash (I.E. you could have "hostname". string is what you are looking for within the type.

Regards

Dennis