Match on nested field is not working

Yogesh_BG · July 3, 2019, 12:54pm

Hi

I am using ES 6.4

I have a nested object with example as below

{
  "docs": {
    "Flwkt2sBvcxxWw1qkfxk": {
  "o_oper_state": "active",
  "p_ver": "v1",
  "h_ver": "v1",
  "stats_list": [
    {
      "app": "ubuntu",
      "conns": 2,
      "bytes": 12384,
      "rule": "rule1",
      "category": "web, analytics-and-statistics, web-ext-web-service"
    },
    {
      "app": "google_gen",
      "conns": 110,
      "bytes": 6477402,
      "rule": "rule1",
      "category": "web, web-ext-software"
    },
    {
      "app": "google_play",
      "conns": 2,
      "bytes": 181747,
      "rule": "rule1",
      "category": "mobile"
    },
    {
      "app": "google_tags",
      "conns": 2,
      "bytes": 6415,
      "rule": "rule1",
      "category": "web, web-ext-computer-and-internet-info"
    },
    {
      "app": "gstatic",
      "conns": 68,
      "bytes": 5588475,
      "rule": "rule1",
      "category": "web, web-ext-web-service"
    },
    {
      "app": "https",
      "conns": 1577,
      "bytes": 111084334,
      "rule": "rule1",
      "category": "basic, web, standards-based"
    }
   
  ],
  "ts": 1562145722626
}
  }
}

and mapping is as below

 "stats_list": {
        "type": "nested",
        "properties": {
          "app": {
            "type": "keyword"
          },
          "bytes": {
            "type": "float"
          },
          "category": {
            "type": "keyword"
          },
          "conns": {
            "type": "float"
          },
          "rule": {
            "type": "keyword"
          }
        }
      }

when i try to get docs matching app as ubuntu with below query it doesnt work

"size": 0,
  "query": {
"bool": {
  "must": [
    {
      "term": {
        “stats_list.app”: “ubuntu”
      }
    }
  ]
}
  }

spinscale · July 4, 2019, 8:28am

Hey,

have you tried using a nested query?

--Alex

Yogesh_BG · July 4, 2019, 8:35am

yes i did use it, but no luck. It seems this is how ES behaviour is and we need to pass this query to aggregation block also so that aggregation time also filtering happens

spinscale · July 4, 2019, 8:57am

can you create a fully reproducible minimal example including the nested query instead of just providing snippets and also specify the exact version of Elasticsearch including the patch release?

system · August 1, 2019, 9:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.