Query based on another query

diwertowski · May 18, 2016, 12:23pm

Is it possible to do something like this:

{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "ID1": {
              "fields": ["ID1"],
              "query": {
                "bool": {
                  "must": [
                    {
                      "match": {
                        "ID2": 007
                      }
                  ...

It's somehting like this in SQL:

SELECT * FROM logstash-* w
WHERE w.ID1 IN ( SELECT o.ID1 FROM logstash-* o
                 WHERE o.ID2 = 007)

Is this possible?

Hello world ID1=1234 ID2=007
Hello world again ID1=1234
Goodbye ID1=1234

It would be very nice, if I only have to type in ID2 and get all results which have the same ID1. All logfiles are in the same index, but it's no problem if the solution is, that we have to split them. I don't want to change any mappings or something like this, so parent/child doesn't work for me.

Any ideas? Is it possible?

TroyAndAbed · May 18, 2016, 12:56pm

I'm not sure what you want but why don't you simply do:

"query": {
    "bool": {
        "must":{
            "term": {
                "ID2" : "007"
            }
        }
    }
}, "sort": "ID1"

Or if you want all ID1 for the ID2 : 007:

 "query": {
    "bool": {
        "must":{
            "term": {
                "ID2" : "007"
            }
        }
    }
},
"size":0,
"aggs": {
    "groupy_by_ID1":{
        "terms": {
            "field":"ID1"
        }
    }
}