Join the result of two different queries indices

Walter_Jimenez · June 9, 2021, 3:46pm

Good morning, excuse my English. I am new to elastic and I am doing some tests with the queries, I have the following case:

I have two indeces, metrics and a custom one of my own, I was able to make each one a separate queries that are fired when a record is obtained, now what I want to do is try to join both queries, I tried as follows:

GET _search
{
  "size": 1,
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "apache.status.uptime.uptime": {
              "from": 0,
              "to": null,
              "include_lower": false,
              "include_upper": false,
              "boost": 1.0
            }
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "now-20s",
              "to": "now",
              "include_lower": false,
              "include_upper": false,
              "time_zone": "Z",
              "format": "strict_date_optional_time_nanos",
              "boost": 1.0
            }
          }
        },
        {
          "range": {
            "duration": {
              "from": 0,
              "to": null,
              "include_lower": false,
              "include_upper": false,
              "boost": 1.0
            }
          }
        },
        {
          "range": {
            "start2": {
              "gte": "now-30m",
              "to": "now",
              "include_lower": false,
              "include_upper": false,
              
              "boost": 1.0
              
            }
          }
        }
      ],
      "adjust_pure_negative": true,
      "boost": 1.0
    }
  },
  "_source": false,
  "fields": [
    {
      "field": "apache.status.uptime.uptime"
    },
    {
      "field": "duration"
      
    },
    {
      "field": "answer2"
    },
    {
      "field": "answer"
    }
  ]
 
}

I am assuming that it does not bring results when I join them, because it tries to search in the same index all 4 conditions. What I'm trying to do is not possible?

Thanks in advance.

mayya · June 10, 2021, 8:29pm

Indeed, for a document to be a hit for this search request, it must satisfy all 4 conditions inside a must clause.

Walter_Jimenez · June 11, 2021, 8:47pm

Thanks for answering.

I think I approach the problem wrong, is there a way that will return something to me when two conditions are met in one document and two other conditions are met in another document? that is, if in one time interval, document one there are records and in another time interval, document two there are records, return 'something'. Is this possible with queries?

mayya · June 11, 2021, 9:53pm

You can do something like this:

bool
 should
    must
      condition1
      condition2
    must
       condition3
       condition4

Then for a document to be a hit in must either satisfy (conditions 1 and condition 2) OR (condition3 and condition4). But it could also be a hit if a document satisfies all 4 conditions.

system · July 9, 2021, 9:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.