Queries with fields {...} don't return field with dot in their name


(benq) #1

Hi all,

I have a query that specify the fields to be returned as described
here: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/search-request-fields.html
However, it does not return the fields with a dot in their name, like
"response.user".

For example,
Ex:
{
"size": 1000,
"fields": ["@timestamp", "request", "response", "response.user",
"clientip"],
"query": {"match_all": {} },
"filter": {
"and": [
{ "range": { "@timestamp": { "from": ...

]

}
}

The timestamp, request, response and clientip fields are returned. The
response.user is not.

Any idea why?

Regards,
Benoît

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/cc08476f-0c6e-47bc-870a-2008386636c5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(vineeth mohan-2) #2

Hello Ben ,

Can you paste a sample feed.

Thanks
Vineeth

On Tue, Jul 1, 2014 at 8:26 PM, benq benoit.quartier@gmail.com wrote:

Hi all,

I have a query that specify the fields to be returned as described here:
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/search-request-fields.html
However, it does not return the fields with a dot in their name, like
"response.user".

For example,
Ex:
{
"size": 1000,
"fields": ["@timestamp", "request", "response", "response.user",
"clientip"],
"query": {"match_all": {} },
"filter": {
"and": [
{ "range": { "@timestamp": { "from": ...

]

}
}

The timestamp, request, response and clientip fields are returned. The
response.user is not.

Any idea why?

Regards,
Benoît

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/cc08476f-0c6e-47bc-870a-2008386636c5%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/cc08476f-0c6e-47bc-870a-2008386636c5%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAGdPd5m%2BapqyKN7fQzhH%3DX%2B4Vn_s7Pd5Lso102oZb%3Du9F128nw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


(benq) #3

Hello Vineeth,

the items that are indexed in elasticsearch really contains a field named
"response.user".

"_source": {
"clientip": "aaa.bbb.cccc.ddd",

"request": "http://aaaa.aa/bbbbb/ccccc",

"request.accept-encoding": "gzip, deflate", "request.accept-language":
"de-ch", "response.content-type": "text/html; charset=UTF-8",

 "response": 200,

"response.age": "0", "response.user": "userAAA", "@timestamp":
"2014-07-01T12:18:51.501+02:00", }

I realize there is an ambiguity between a field with a dot in its name and
a field of a child document. Should fields with dot in their name be
avoided?

Benoît

Le mardi 1 juillet 2014 19:17:41 UTC+2, vineeth mohan a écrit :

Hello Ben ,

Can you paste a sample feed.

Thanks
Vineeth

On Tue, Jul 1, 2014 at 8:26 PM, benq <benoit....@gmail.com <javascript:>>
wrote:

Hi all,

I have a query that specify the fields to be returned as described here:
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/search-request-fields.html
However, it does not return the fields with a dot in their name, like
"response.user".

For example,
Ex:
{
"size": 1000,
"fields": ["@timestamp", "request", "response", "response.user",
"clientip"],
"query": {"match_all": {} },
"filter": {
"and": [
{ "range": { "@timestamp": { "from": ...

]

}
}

The timestamp, request, response and clientip fields are returned. The
response.user is not.

Any idea why?

Regards,
Benoît

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/cc08476f-0c6e-47bc-870a-2008386636c5%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/cc08476f-0c6e-47bc-870a-2008386636c5%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/86f48242-6514-4d4b-9809-362e18af1d95%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(vineeth mohan-2) #4

Hello Ben ,

This is defenitely an ambiguity.

By request.user , in the usual case ES expects a data like

"request" : {
"user" : "vm"
}

Try "request.user" or something. Some mechanism to escape the dot.

Thanks
Vineeth

On Wed, Jul 2, 2014 at 1:13 PM, benq benoit.quartier@gmail.com wrote:

Hello Vineeth,

the items that are indexed in elasticsearch really contains a field named
"response.user".

"_source": {
"clientip": "aaa.bbb.cccc.ddd",

"request": "http://aaaa.aa/bbbbb/ccccc",

"request.accept-encoding": "gzip, deflate", "request.accept-language":
"de-ch", "response.content-type": "text/html; charset=UTF-8",

 "response": 200,

"response.age": "0", "response.user": "userAAA", "@timestamp":
"2014-07-01T12:18:51.501+02:00", }

I realize there is an ambiguity between a field with a dot in its name and
a field of a child document. Should fields with dot in their name be
avoided?

Benoît

Le mardi 1 juillet 2014 19:17:41 UTC+2, vineeth mohan a écrit :

Hello Ben ,

Can you paste a sample feed.

Thanks
Vineeth

On Tue, Jul 1, 2014 at 8:26 PM, benq benoit....@gmail.com wrote:

Hi all,

I have a query that specify the fields to be returned as described here:
http://www.elasticsearch.org/guide/en/elasticsearch/reference/
current/search-request-fields.html
However, it does not return the fields with a dot in their name, like
"response.user".

For example,
Ex:
{
"size": 1000,
"fields": ["@timestamp", "request", "response", "response.user",
"clientip"],
"query": {"match_all": {} },
"filter": {
"and": [
{ "range": { "@timestamp": { "from": ...

]

}
}

The timestamp, request, response and clientip fields are returned. The
response.user is not.

Any idea why?

Regards,
Benoît

--
You received this message because you are subscribed to the Google
Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to elasticsearc...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/
msgid/elasticsearch/cc08476f-0c6e-47bc-870a-2008386636c5%
40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/cc08476f-0c6e-47bc-870a-2008386636c5%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/86f48242-6514-4d4b-9809-362e18af1d95%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/86f48242-6514-4d4b-9809-362e18af1d95%40googlegroups.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAGdPd5keeKB99M4rh1rKX74%3D0P%3DUqEEZtWVi0sq5-PYwY4WbKg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


(system) #5