Match_phrase isn't precise

f26227279 · December 29, 2017, 10:48am

this is my REST API:

GET logstash-2017.12.29/_search
{
"_source": {
  "includes": [ "IPV4_DST_ADDR","IPV4_SRC_ADDR","IN_BYTES","OUT_BYTES"]
},
"size" : 100,
"query": {
"bool": {
  "should": [
    {
        "match_phrase":{"IPV4_DST_ADDR":"192.168.0.159"}
    },
    {
        "match_phrase":{"IPV4_SRC_ADDR":"192.168.0.159"}
    }
  ],
"must":
    {
      "range" : {
        "LAST_SWITCHED" : {
            "gte" : 1514543547
        }
        }
    }
}
},
"aggs": {
  "IN_PKTS": {
    "sum": {
      "field": "IN_PKTS"
    }
  },
  "IN_BYTES": {
    "sum": {
      "field": "IN_BYTES"
    }
  },
  "OUT_BYTES": {
    "sum": {
      "field": "OUT_BYTES"
    }
  },
  "OUT_PKTS": {
    "sum": {
      "field": "OUT_PKTS"
    }
  },
  "genres":{
    "terms" : {
            "field" : "L7_PROTO_NAME.keyword",
            "order" : { "in_bytes" : "desc" }
        },
    "aggs":{
      "in_bytes": {
      "sum": { "field":"IN_BYTES"}
    }
    }
  },
  "download1" : {
        "filter" : { "term": { "IPV4_DST_ADDR":"192.168.0.159"} },
        "aggs" : {
            "downlod_bytes" : { "sum" : { "field" : "IN_BYTES" } }
        }
    },
    "download2" : {
        "filter" : { "term": { "IPV4_SRC_ADDR":"192.168.0.159"} },
        "aggs" : {
            "downlod_bytes" : { "sum" : { "field" : "OUT_BYTES" } }
        }
    },"upload1" : {
        "filter" : { "term": { "IPV4_DST_ADDR":"192.168.0.159"} },
        "aggs" : {
            "downlod_bytes" : { "sum" : { "field" : "OUT_BYTES" } }
        }
    },"upload2" : {
        "filter" : { "term": { "IPV4_SRC_ADDR":"192.168.0.159"} },
        "aggs" : {
            "downlod_bytes" : { "sum" : { "field" : "IN_BYTES" } }
        }
    },
    "Udp|Tcp" : {
         "terms" : {
             "field" : "PROTOCOL"  
            }
  },
    "Using_port_count" : {                 
        "cardinality" : {
            "field" : "L4_SRC_PORT"
        }
    }
}   
}

I found there are some return documents didn't meet my requirement.

{
"_index": "logstash-2017.12.29",
"_type": "ntopng-*",
"_id": "AWCh1jPtnZ2m3739FTU7",
"_score": 1,
"_source": {
"IPV4_SRC_ADDR": "192.168.0.109", // not in my expectation
"IN_BYTES": 132,
"IPV4_DST_ADDR": "224.0.0.252", // not in my expectation
"OUT_BYTES": 0
}
}

How should I modified my REST API .
thank you in advance!

f26227279 · December 30, 2017, 7:39am

sorry does anyone has answer

val · December 30, 2017, 8:50am

The answer is here: https://stackoverflow.com/questions/48032095/match-phrase-isn-t-precise

system · January 27, 2018, 8:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Match_phrase not giving expected output Elasticsearch	4	1118	June 3, 2019
Problems with match_phrase Elasticsearch	8	1151	July 11, 2022
Match regular expressions in match or match_phrase queries Elasticsearch elastic-stack-alerting	3	6955	July 6, 2017
URI query not matching all fields Elasticsearch	6	1293	April 30, 2019
DSL Query with match phrase Elasticsearch	2	315	April 14, 2022

Match_phrase isn't precise

Related topics