Issues getting search results

HockeyFan0000 · November 15, 2018, 6:56pm

I'm trying to do a query for server logs. The search is returning results but there are a couple of issues.

I'm specifying the server name, yet I'm getting results back for other servers in the same domain.
Even though I'm specifying the query get results back from the past hour, they're coming back from two hours before, i.e. if I perform the search at 1pm, the results are returning from 12pm. The search returns the correct results if I specify sorting by timestamp but this seems to take longer for the results to appear so I would rather not do that unless I have to.

Any help you can give is greatly appreciated.

Here's my query (with edited log name and server name):

var searchParams = {
index: 'logs*',
"body": {
"from" : 0, "size": 50,
"sort": [
{
"timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"query": {
"bool": {
"must": [
{
"match" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"},
"match" : {"source" : "server01.fakedomain.com"},
"match" : {"EventID" : "5145"}
},
{
"range": {
"timestamp": {
"gte": "now-1h",
"lte": "now/m",
"time_zone": "-05:00"
}
}
}
],
"must_not":
}
},

}

spinscale · November 26, 2018, 4:02pm

hey,

you are using a match query on the source field. Depening on the mapping of the source field you might be ending up searching for server01 OR fakedomain OR com, which might explain your additional result. You might want to search against the source.keyword field - but this is just a wild guess.

HockeyFan0000 · November 27, 2018, 4:31pm

I got the answer elsewhere, but 'spinscale' was correct. The 'match' query was the wrong way to go. The corrected query is below:

var searchParams = {
index: 'logs*',
    "body": {
      "from" : 0, "size": 50,
      "sort": [
        {
          "timestamp": {
            "order": "desc",
            "unmapped_type": "boolean"
          }
        }
      ],
        "query": {
            "bool": {
                "filter": [
                    { "term" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"} },
                    { "term" : {"source" : "server01.fakedomain.com"} },
                    { "term" : {"EventID" : "5145"} },
                    {
                        "range": {
                            "timestamp": {
                              "gte": "now-1h",
                              "lte": "now/m",
                              "time_zone": "-05:00"
                            }
                        }
                    }
                ]
            }
        },

    }
}

system · December 25, 2018, 4:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.