Problem with multiple match query

floBoth · August 3, 2017, 12:26pm

Hi everyone !

I think my problem is pretty simple to resolve, I want to do that (in head plugin) :

POST
/_all/logs/_search

{"query":{"match":{"action":"reject" OR "action":"drop" AND "src_group":"blacklist"}},"aggregations":{"my_aggregation":{"range":{"log_date":{"gt":"now-24h"}}}}}

Errors are for OR, and AND in the match query.
Have you a solution please ?

Thanks !
floBoth

dadoonet · August 3, 2017, 12:49pm

This is not a valid JSON.

What you want to do is probably using the bool query with must and should clauses.

floBoth · August 3, 2017, 1:14pm

Ok thanks.
So I have done that :

{"query":{"bool":{"must":{"term":{"src_group":"blacklist"}},"should":[{"term":{"action":"reject"}},{"term":{"action":"drop"}}]}},"aggregations":{"my_aggregation":{"range":{"log_date":{"gt":"now-24h"}}}}}

But another error :
"type": "search_parse_exception","reason": "Unexpected token START_OBJECT in [my_aggregation]."

Do you know where this error can come from ?

dadoonet · August 3, 2017, 3:13pm

Please format your code using </> icon as explained in this guide. It will make your post more readable.

Or use markdown style like:

```
CODE
```

Do you know where this error can come from ?

Yes. It's incorrect. Look at the expected format here: Range Aggregation | Elasticsearch Reference [5.5] | Elastic

floBoth · August 4, 2017, 8:00am

I corrected my JSON code with date_range aggregation :

{"query":
{"bool":
{"must":{"term":{"src_groupe":"blacklist"}},
"should":[{"term":{"action":"reject"}},{"term":{"action":"drop"}}]}},
"aggs":{"mon_aggregation":{
"date_range":{"field":"log_date","format":"yyyy-MM-dd",
"ranges":[{"from":"now-10M/M","to":"now/d"}]}
}}}

But the response isn't correct. This also returns the results where the date is not included in "from", "to".

Maybe an error in date format, or in "ranges" ?

floBoth · August 7, 2017, 8:36am

I tried to add "time_zone" but that also doesn't work :

{
  "query": {
    "bool": {
      "must": {
        "term": {
          "src_groupe": "blacklist"
        }
      },
      "should": [
        {
          "term": {
            "action": "reject"
          }
        },
        {
          "term": {
            "action": "drop"
          }
        }
      ]
    }
  },
  "aggs": {
    "mon_aggregation": {
      "date_range": {
        "field": "log_date",
        "time_zone": "CET",
        "format": "yyyy-MM-dd",
        "ranges": [
          {
            "from": "now-10M/M",
            "to": "now/d"
          }
        ]
      }
    }
  }
}

Somebody can help me please ?

floBoth · August 7, 2017, 1:40pm

It's all good, I resolved my problem with this request :

{
  "query": {
    "query_string": {
      "fields": [
        "src_groupe",
        "action"
      ],
      "query": "blacklist OR reject OR drop"
    }
  },
  "aggs": {
    "mon_aggregation": {
      "date_range": {
        "field": "log_date",
        "format": "yyyy-MM-dd",
        "ranges": [
          {
            "from": "now-24M/M",
            "to": "now/d"
          }
        ]
      }
    }
  }
}

Thanks !

system · September 4, 2017, 1:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.