Limiting results by field

Daz762 · July 2, 2019, 3:20pm

Hi,

I have a query that searches for a specific field value within the last hour. the problem is that this query will find roughly 4 documents each time as that is how often the data is generated. I'm trying to limit the results to 1 result per device. My query and the resulting error are both below. Any advice/help would be greatly appreciated

POST /_search
{
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "@timestamp": {
              "gte": "now-1h"
            }
          }
        },
        {
          "match": {
            "osquery.result.columns.mdm": "active"
          }
        },
        {
          "aggregations": {
            "hosts": {
              "terms": { 
                "field": "osquery.result.decorations.hostname", 
                "size": 1
              }
            }
          } 
        }
      ]
    }
  }
}

{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "no [query] registered for [aggregations]",
        "line": 18,
        "col": 27
      }
    ],
    "type": "parsing_exception",
    "reason": "no [query] registered for [aggregations]",
    "line": 18,
    "col": 27
  },
  "status": 400
}

dadoonet · July 2, 2019, 3:43pm

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

This is the icon to use if you are not using markdown format:

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Please update your post.

Here most likely (but without proper formatting it's hard to tell), aggregations is not at the same level than query but inside. You should fix that.

Daz762 · July 2, 2019, 4:00pm

Thanks for the reply, i've moved the aggregation block and it's now finding results, still too many from what i can see though but i may need to just add more to it.

Also, i did use the code formatting button and it formatted correctly in the text window but the message itself wouldn't change to the correct formatting, not sure why..

dadoonet · July 2, 2019, 4:36pm

I edited your code. Have a look at how it looks like now and edit it again to see what I have done so you can use that later. Thanks

system · July 30, 2019, 4:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Limit number of results for each value of one field Elasticsearch	2	659	July 5, 2017
[Query] Limit the number of result per field content Elasticsearch	3	461	July 5, 2017
Limit number of documents returned by each clause in Search query Elasticsearch	3	502	October 8, 2019
How to increase query results limit of 10,000 results per search in AppSearch Elastic Search elastic-app-search	2	3325	September 6, 2021
Elasticsearch-5: Aggregation based on query without per-doc results? Elasticsearch	4	693	December 19, 2016

Limiting results by field

Related topics