Of course, below is the index mapping for the url field:
"url": {
"properties": {
"domain": {
"type": "keyword",
"ignore_above": 1024
},
"extension": {
"type": "keyword",
"ignore_above": 1024
},
"fragment": {
"type": "keyword",
"ignore_above": 1024
},
"full": {
"type": "keyword",
"fields": {
"text": {
"type": "text",
"norms": false
}
},
"ignore_above": 1024
},
"original": {
"type": "keyword",
"fields": {
"text": {
"type": "text",
"norms": false
}
},
"ignore_above": 1024
},
And the query can cary based on if you use the wildcard, regexp, or query_string queries. However, a sample query could look something like:
{
"size": 100,
"query": {
"bool": {
"filter": [
{
"bool": {
"must": [
{
"term": {
"agent.type": "packetbeat"
}
},
{
"term": {
"host.name": "blueprint-energetic-bear"
}
},
{
"term": {
"destination.port": 80
}
},
{
"term": {
"http.request.method": "post"
}
},
{
"term": {
"http.response.status_code": "200"
}
},
{
"query_string": {
"default_field": "url.full",
"query": "/.*recherche=.*LIMIT.*/"
}
}
]
}
}
]
}
}
}
Where the query_string can be replaced with any of the other mentioned queries (changing some syntax as well of course). Some regex patterns return the document while others that seem just as valid do not return the document.