Limiting results by field

Elastic Stack Elasticsearch
1

Hi,

I have a query that searches for a specific field value within the last hour. the problem is that this query will find roughly 4 documents each time as that is how often the data is generated. I'm trying to limit the results to 1 result per device. My query and the resulting error are both below. Any advice/help would be greatly appreciated :slight_smile:

POST /_search
{
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "@timestamp": {
              "gte": "now-1h"
            }
          }
        },
        {
          "match": {
            "osquery.result.columns.mdm": "active"
          }
        },
        {
          "aggregations": {
            "hosts": {
              "terms": { 
                "field": "osquery.result.decorations.hostname", 
                "size": 1
              }
            }
          } 
        }
      ]
    }
  }
}

{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "no [query] registered for [aggregations]",
        "line": 18,
        "col": 27
      }
    ],
    "type": "parsing_exception",
    "reason": "no [query] registered for [aggregations]",
    "line": 18,
    "col": 27
  },
  "status": 400
}
2

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

This is the icon to use if you are not using markdown format:

image
image.jpg764×92 16.4 KB

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Please update your post.

Here most likely (but without proper formatting it's hard to tell), aggregations is not at the same level than query but inside. You should fix that.

3

Thanks for the reply, i've moved the aggregation block and it's now finding results, still too many from what i can see though but i may need to just add more to it.

Also, i did use the code formatting button and it formatted correctly in the text window but the message itself wouldn't change to the correct formatting, not sure why.. :confused:

4

I edited your code. Have a look at how it looks like now and edit it again to see what I have done so you can use that later. Thanks

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.