Query against a list of objects

kernelpanic · April 26, 2017, 2:36pm

Hello, we're currently using winlogbeat to send domain controller logs to Elasticsearch and I was wondering how I would query against a list of objects, for example a list of usernames. After looking into it I think I need to so something with 'terms queries' (https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-terms-query.html)

I did create a document with a list of usernames but couldn't figure out how to query against it, particularly whilst using Kibana with the winlogbeat-* index pattern - can anyone help with this?

Thanks.

nik9000 · April 26, 2017, 2:55pm

I'm not sure about kibana, but you shouldn't need to create a document. You can use the list of terms.

If the list is short (like, less than 100) it is probably just fine to do a bunch of term queries in a should clause in a bool query. If you use the query_string query (which I think kibana does in that big text box) that'd look like (field:value | field:value | field:value).

kernelpanic · April 26, 2017, 3:15pm

Thanks for getting back to me; yes I suppose I could just create a list of query terms in the text box and save it. Just for the future though in case I do need to query against a large list of objects in a document, can you give me an example of such a query?

nik9000 · April 26, 2017, 3:44pm

The Elasticsearch example is at the bottom of the page you linked. I'm not sure about kibana, sorry!

kernelpanic · April 26, 2017, 3:51pm

No worries thanks for getting back to me.

system · May 24, 2017, 4:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.