Newbie - records not being returned

Elastic Stack Elasticsearch
1

I am brand new to this technology. Probably, this question is answered
somewhere in the docs, but I can't see where.

I have inserted data as follows:

curl localhost:9200/_search?pretty

[...]

{
"_index" : "log",
"_type" : "external",
"_id" : "dggX5-r4SaW2DLnLwFJlkQ",
"_score" : 1.0,
"_source":{
"ID":"b596330f-1898-4d9a-aa34-031fac480ead",
"Type":3,
"Message":".NET Hub is running.",
"ParentID":null,
"MetaData":{
"Timestamp":"8/7/2014 2:50:11 PM",
"Source":"FileProcessor",
"EnterpriseID":"",
"ServiceName":"MMM.HSA.Hub.HubService, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=null",
"MessageID":"MON_Heartbeat",
"TimestampInTicks":"635430054119284674",
"HeartbeatTime":"5000"
},
"CreateDate":"/Date(-62135578800000)/"}
}

Then I run
curl -XPOST http://localhost:9200/log/_search
{"size":1,"query":{"filtered":{"query":{"match_all":{}},"filter":{"term":{"applicationID":"HSA_NET_Hub","Type":"3","MetaData.MessageID":"MON_Heartbeat"}}}},"sort":[{"_id":"desc"}]}

and get no results. It seems to me that the above record should be found.

Anybody know what I am doing wrong? I know it is because of the filtering
on MetaData.MessageID, because without that records do get found. But I
don't know what's wrong with my syntax and the documentation does not
answer my question.

Thanks in advance!

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/e2c82f7a-9903-4dee-a44f-2e0c4a8d0e2c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

2

Some thoughts:

I don't think you can define multiple fields/values for Term Filter: Elasticsearch Platform — Find real-time answers at scale | Elastic. I think that only the last one is applied here.
You are using default analyzer. So MessageID content has probably been indexed as ["mon", "heartbeat"].
A Term filter does not analyze the content. So you compare exactly your string with the inverted index. And MON_Heartbeat is not "mon" or "heartbeat".
You could change the mapping and set MessageID to not_analyzed: Elasticsearch Platform — Find real-time answers at scale | Elastic

--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet | @elasticsearchfr

Le 19 août 2014 à 21:13:37, eloris (roykoczela@gmail.com) a écrit:

I am brand new to this technology. Probably, this question is answered somewhere in the docs, but I can't see where.

I have inserted data as follows:

curl localhost:9200/_search?pretty

[...]

{
"_index" : "log",
"_type" : "external",
"_id" : "dggX5-r4SaW2DLnLwFJlkQ",
"_score" : 1.0,
"_source":{
"ID":"b596330f-1898-4d9a-aa34-031fac480ead",
"Type":3,
"Message":".NET Hub is running.",
"ParentID":null,
"MetaData":{
"Timestamp":"8/7/2014 2:50:11 PM",
"Source":"FileProcessor",
"EnterpriseID":"",
"ServiceName":"MMM.HSA.Hub.HubService, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null",
"MessageID":"MON_Heartbeat",
"TimestampInTicks":"635430054119284674",
"HeartbeatTime":"5000"
},
"CreateDate":"/Date(-62135578800000)/"}
}

Then I run
curl -XPOST http://localhost:9200/log/_search
{"size":1,"query":{"filtered":{"query":{"match_all":{}},"filter":{"term":{"applicationID":"HSA_NET_Hub","Type":"3","MetaData.MessageID":"MON_Heartbeat"}}}},"sort":[{"_id":"desc"}]}

and get no results. It seems to me that the above record should be found.

Anybody know what I am doing wrong? I know it is because of the filtering on MetaData.MessageID, because without that records do get found. But I don't know what's wrong with my syntax and the documentation does not answer my question.

Thanks in advance!

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/e2c82f7a-9903-4dee-a44f-2e0c4a8d0e2c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/etPan.53f3a6b3.57e4ccaf.132%40MacBook-Air-de-David.local.
For more options, visit https://groups.google.com/d/optout.

3

Thanks! Would have taken me forever to figure out the underscore was the
problem. Not the kind of thing you can find out from the "Getting Started"
docs.

On Tuesday, August 19, 2014 3:34:23 PM UTC-4, David Pilato wrote:

Some thoughts:

I don't think you can define multiple fields/values for Term Filter:
Elasticsearch Platform — Find real-time answers at scale | Elastic.
I think that only the last one is applied here.
You are using default analyzer. So MessageID content has probably been
indexed as ["mon", "heartbeat"].
A Term filter does not analyze the content. So you compare exactly your
string with the inverted index. And MON_Heartbeat is not "mon" or
"heartbeat".
You could change the mapping and set MessageID to not_analyzed:
Elasticsearch Platform — Find real-time answers at scale | Elastic

--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet https://twitter.com/dadoonet | @elasticsearchfr
https://twitter.com/elasticsearchfr

Le 19 août 2014 à 21:13:37, eloris (royko...@gmail.com <javascript:>) a
écrit:

I am brand new to this technology. Probably, this question is answered
somewhere in the docs, but I can't see where.

I have inserted data as follows:

curl localhost:9200/_search?pretty

[...]

{
"_index" : "log",
"_type" : "external",
"_id" : "dggX5-r4SaW2DLnLwFJlkQ",
"_score" : 1.0,
"_source":{
"ID":"b596330f-1898-4d9a-aa34-031fac480ead",
"Type":3,
"Message":".NET Hub is running.",
"ParentID":null,
"MetaData":{
"Timestamp":"8/7/2014 2:50:11 PM",
"Source":"FileProcessor",
"EnterpriseID":"",
"ServiceName":"MMM.HSA.Hub.HubService, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=null",
"MessageID":"MON_Heartbeat",
"TimestampInTicks":"635430054119284674",
"HeartbeatTime":"5000"
},
"CreateDate":"/Date(-62135578800000)/"}
}

Then I run
curl -XPOST http://localhost:9200/log/_search

{"size":1,"query":{"filtered":{"query":{"match_all":{}},"filter":{"term":{"applicationID":"HSA_NET_Hub","Type":"3","MetaData.MessageID":"MON_Heartbeat"}}}},"sort":[{"_id":"desc"}]}

and get no results. It seems to me that the above record should be found.

Anybody know what I am doing wrong? I know it is because of the filtering
on MetaData.MessageID, because without that records do get found. But I
don't know what's wrong with my syntax and the documentation does not
answer my question.

Thanks in advance!

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/e2c82f7a-9903-4dee-a44f-2e0c4a8d0e2c%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/e2c82f7a-9903-4dee-a44f-2e0c4a8d0e2c%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/27c1626d-946c-4da6-af21-3b547395c7ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

4

I think you should read this chapter: Elasticsearch Platform — Find real-time answers at scale | Elastic
It could help you understanding what is happening behind the scene.

--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet | @elasticsearchfr

Le 20 août 2014 à 15:34:03, eloris (roykoczela@gmail.com) a écrit:

Thanks! Would have taken me forever to figure out the underscore was the problem. Not the kind of thing you can find out from the "Getting Started" docs.

On Tuesday, August 19, 2014 3:34:23 PM UTC-4, David Pilato wrote:
Some thoughts:

I don't think you can define multiple fields/values for Term Filter: Elasticsearch Platform — Find real-time answers at scale | Elastic. I think that only the last one is applied here.
You are using default analyzer. So MessageID content has probably been indexed as ["mon", "heartbeat"].
A Term filter does not analyze the content. So you compare exactly your string with the inverted index. And MON_Heartbeat is not "mon" or "heartbeat".
You could change the mapping and set MessageID to not_analyzed: Elasticsearch Platform — Find real-time answers at scale | Elastic

--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet | @elasticsearchfr

Le 19 août 2014 à 21:13:37, eloris (royko...@gmail.com) a écrit:

I am brand new to this technology. Probably, this question is answered somewhere in the docs, but I can't see where.

I have inserted data as follows:

curl localhost:9200/_search?pretty

[...]

{
"_index" : "log",
"_type" : "external",
"_id" : "dggX5-r4SaW2DLnLwFJlkQ",
"_score" : 1.0,
"_source":{
"ID":"b596330f-1898-4d9a-aa34-031fac480ead",
"Type":3,
"Message":".NET Hub is running.",
"ParentID":null,
"MetaData":{
"Timestamp":"8/7/2014 2:50:11 PM",
"Source":"FileProcessor",
"EnterpriseID":"",
"ServiceName":"MMM.HSA.Hub.HubService, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null",
"MessageID":"MON_Heartbeat",
"TimestampInTicks":"635430054119284674",
"HeartbeatTime":"5000"
},
"CreateDate":"/Date(-62135578800000)/"}
}

Then I run
curl -XPOST http://localhost:9200/log/_search
{"size":1,"query":{"filtered":{"query":{"match_all":{}},"filter":{"term":{"applicationID":"HSA_NET_Hub","Type":"3","MetaData.MessageID":"MON_Heartbeat"}}}},"sort":[{"_id":"desc"}]}

and get no results. It seems to me that the above record should be found.

Anybody know what I am doing wrong? I know it is because of the filtering on MetaData.MessageID, because without that records do get found. But I don't know what's wrong with my syntax and the documentation does not answer my question.

Thanks in advance!

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearc...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/e2c82f7a-9903-4dee-a44f-2e0c4a8d0e2c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/27c1626d-946c-4da6-af21-3b547395c7ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/etPan.53f4d2a2.2ae8944a.6ef9%40MacBook-Air-de-David.local.
For more options, visit https://groups.google.com/d/optout.