How to filter a specific field and how to filter on a wildcard field such as `/cars/*`?

fikse · June 19, 2016, 10:19pm

I have this index:

{
  "_index": "logstash-2015.12.15",
  "_type": "logs",
  "_id": "AVVVW_wekW28kZ0eUiUh",
  "_version": 1,
  "_score": 1,
  "_source": {
    "message": "127.0.0.1 - - [15/Dec/2015:18:50:15 -0500] "GET /cars/123 HTTP/1.1" 200 172 "-" "-"",
    "@version": "1",
    "@timestamp": "2015-12-15T23:50:15.000Z",
    "type": "log",
    "host": "abc123.local",
    "remote_ip": "127.0.0.1",
    "user_name": "-",
    "time": "15/Dec/2015:18:50:15 -0500",
    "request_action": "GET",
    "request": "/cars/123",
    "http_version": "1.1",
    "response": "502",
    "bytes": "172",
    "referrer": "-",
    "agent": "-",
    "user_agent": {
      "name": "Other",
      "os": "Other",
      "os_name": "Other",
      "device": "Other"
    }
  }
}

I am using the elasticsearch javascript client, and I'm trying to search for all instances of requests to /cars, but first I'm trying to match the index above before trying to match all:

    es.search({
      analyzeWildcard: true,
      index: 'logstash-*',
      type: 'log',
      body: {
        query: {
          bool: {
            must: [
              { match: { request_action: "GET" } }
            ],
            filter: [
              { term: { request: "/cars/123" } }
            ]
          }
        }
      }
    }).then(function(results) {
      debugger;

Here's what I get:

> results
{ took: 47,
  timed_out: false,
  _shards: { total: 740, successful: 740, failed: 0 },
  hits: { total: 0, max_score: null, hits: [] } }

I even tried this:

  // first example query
  es.search({
    index: 'logstash-*',
    q: "request:cars"
  })

and this:

  // second example query
  es.search({
    index: 'logstash-*',
    q: "request:cars/123"
  })

These queries do return results, however, they are weighted results:

{ took: 30,
  timed_out: false,
  _shards: { total: 740, successful: 740, failed: 0 },
  hits:
   { total: 26,
     max_score: 3.6100698,
     hits:
      [ [Object],
        [Object],
        [Object],
        [Object],
        [Object],
        [Object],
        [Object],
        [Object],
        [Object],
        [Object] ] } }

The request field has a mapping type of not_analyzed. How do I query for a specific field and then how would I query for something like /cars/*?

mainec · June 20, 2016, 8:02am

First off: I'm not sure what's going wrong in your term query. As for the rest of the question:

For something like this you'd need a wildcard query: Wildcard query | Elasticsearch Guide [8.11] | Elastic

Also what ES version are you running? Queries and filters have been merged, see here: Better query execution coming to Elasticsearch 2.0 | Elastic Blog

Hope this helps,
Isabel

fikse · June 20, 2016, 4:27pm

Hi Isabel, thank you for responding.
I'm using elasticsearch 2.3.3, and I can't seem to filter out only the results I want. I've been trying and trying, and I've even simplified the queries to start looking for requests to /robots.txt but I only get similar matches, not actual matches.

The requests now look like this:

body = new Bodybuilder().query('match', 'request_action', 'GET')
                        .filter('term', 'request', '/robots.txt')
                        .aggregation('terms', 'request')
                        .build()
es.search(body)

fikse · June 20, 2016, 4:46pm

@mainec I figured out the issue:
The type was logs not log.