How to use group clause in search query?

(Sameer Panicker) #1

I am trying to search for a record which has Internal Server Error, the match URL, and session ID.

Is there a way that I can get only session ID's that are matching ?

(Spencer Alger) #2

In the filter box you can specify the field you want to match, like:

Payload_reasonPhrase:"Internal Server Error" Payload_sessionID:"XYZ"

Does that help?

(Sameer Panicker) #3

The actual use case here is to the particular URL with Internal Server Errors only.

Searching for GUIDs from many records wont be that easy. Since, both the URL and Reason Phrase are logged as 2 different events. If I have the GUID, then its easy.

Any other suggestion ?

(Spencer Alger) #4

I'm afraid that the best way to do that would be to change the way you are storing these events. If the reasonPhrase and requestUri are related to the same event then they should be in the same document in elasticsearch.

Elasticsearch isn't relational, so joining on something like sessionID isn't going to work out of the box. I'm pretty sure that there are some tricks you can use to do it, but Kibana doesn't support it out of the box so I don't recommend it.

(Matt Bargar) #5

Reviving an old thread, but I stumbled across this while looking for something else and I had a thought. What if, using the Visualize app, you do a terms agg on the sessionID field along with the query you have here? Any bucket with a doc count of 2 should be a culprit. If there's a potential for multiple "Internal Server Error" or "URL" documents for a given ID over time, you could also add a date histogram agg with a fairly small interval to hopefully narrow it down to one error per bucket (I'm assuming the url doc and the error doc will have matching timestamps, or at least be within milliseconds of each other, whereas separate errors are probably minutes, hours, or days apart).

(system) #6