Is cross document query possible?

gilisade · December 8, 2016, 8:36am

Hi
i have an index called X
in that index i have 1 document type
and the documents are separated by the filed "type" (added by logstash)
one type is called : type1
and one type is called : type2
both have one field that is the same called "identifier"
that means that some documents from type1 have the "identifier" field with the same value as documents from type 2
i want to search for a string in a field called msg in documents from type1 , and get the documents from type2 that contain the same value of "identifier" (from the results of the string search in field msg)

is that possible with elasticsearch?

gilisade · December 8, 2016, 8:49am

for example :
this is a type1 document :

{
  "_index": "X",
  "_type": "type",
  "_id": "ID",
  "_score": null,
  "_source": {
    "msg": "stringsstringsstrings",
    "@timestamp": "2016-12-08T08:23:35.000Z",
    "logexpirydate": "2016-12-09T08:23:46.341Z",
    "identifier": "XYZ",
    "@version": "1",
    "type": "type1"
}

}

and this is a type 2 document:

{
  "_index": "X",
  "_type": "type",
  "_id": "ID",
  "_score": null,
  "_source": {
    "severity": "Info",
    "identifier": "XYZ",
    "module": "some module",
    "type": "type2",
    "tags": [],
    "exception_data": "",
    "@timestamp": "2016-12-08T08:38:46.235Z",
    "@version": "1",
    "methodname": null
  }

i want to search for a certain string in type1 filed "msg" - and use the "identifier" field value to get type2 document containing the same "identifier" field value

dadoonet · December 8, 2016, 8:53am

So basically a JOIN?

It's not really doable. You can have a look at parent/child feature though which can help you may be in such a case. It comes with a cost (memory usage as we have to perform joins in memory).

gilisade · December 8, 2016, 8:58am

Yes i guess something like a join
i looked at the parent child option but i don't quit know how to "tell" elasticsearch who is the parent and who is the child
the data comes from JDBC input with logstash
and what connects the 2 documents is the "identifier" filed
so how can i tell logstash that when a document from type1 has "identifier" : "XYZ" it is a child of a document from type 2 with "identifier" : "XYZ"?

dadoonet · December 8, 2016, 3:45pm

May be this can help you?

system · January 5, 2017, 3:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.