Join query type in Query DSL

Sivajanani · January 18, 2021, 3:00pm

Hello,

I have created a join field using below query,

PUT test_corr
{
"mappings": {
"properties": {
"my_id": {
"type": "keyword"
},
"my_join_field": {
"type": "join",
"relations": {
"indicators": "indicator"
}
}
}
}
}

Over the same index I have ingested two sets of data via logstash,
event1: indicators:139.23.45.67 actionn:success
event2: indicator:139.23.45.67 tags:perfume,scan

My desired result should be like if I search for success I should get both event1 and event2 as a result just like SQL since indicators is a parent field of indicator and both are joined.

But I am not getting the result. Help me with your inputs.

warkolm · January 18, 2021, 10:34pm

Can you please share an example document, after Logstash has sent it to Elasticsearch?

Christian_Dahlqvist · January 19, 2021, 5:53am

How many primary shards does the index have? If greater than 1, how are you specifying routing and document IDs?

Sivajanani · January 19, 2021, 7:44am

Uploaded 2 events within same index[have to join indicator and indicators field]

Sivajanani · January 19, 2021, 7:45am

As of now I haven't specified any of the setting and all are default

system · February 16, 2021, 7:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.