Hi All,

I am working in winlogbeat and I am started receiving the data to elasticsearch but now I want to limit the search hits based on some condition. Don't know whether this can be achieved using es queries or not

below is the sample data I am getting in winlogbeat index,

"hits": {
"total": 38234,
"max_score": 2.5101082,
"hits": [
{
"_index": "winlogbeat-2019.04",
"_type": "doc",
"_id": "wWOIIGoBRROkT6ZhE4N5",
"_score": 2.5101082,
"_source": {
"level": "Error"
}
},
{
"_index": "winlogbeat-2019.04",
"_type": "doc",
"_id": "ymOPIGoBRROkT6Zhh4xK",
"_score": 2.5101082,
"_source": {
"level": "Error"
}
},
{
"_index": "winlogbeat-2019.04",
"_type": "doc",
"_id": "GWOYIGoBRROkT6Zh8ZgE",
"_score": 2.5101082,
"_source": {
"level": "Error",
"message": """The Open Procedure for service "BITS" in DLL "D:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code."""
}
},

If you see the above documents there are 2 docs which doesn't have message field but now I want to limit hit results based on some condition like , If both level & message field has any values then it should show all the docs in the hits. If either one of them was not available in the doc then the document should not show in the result set.

Kindly guide us how this can be achieved.

Regards,
Ganeshbabu R

You can use the Exists query to only include documents that have a specific field. Multiple Exists queries can be combined with Boolean queries, and you can use the must_not clause of a boolean to include documents that don't have a field too.

Thanks @polyfractal for sharing this and its worked..

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.