Query doing interpretation?

Elastic Stack Elasticsearch
1

I do the following query curl -XPOST
"http://localhost:9200/_search?pretty=true" -d '
{
"query" : { "match_all" : {} },
"facets" : {
"tags" : { "terms" : { "field" : "port"} }
}
}
'

It gives me back results, but it doesn't read the field correctly. It is
breaking it into parts. Sample output snippet.
{
"took" : 184,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 79033,
"max_score" : 1.0,
"hits" : [ {
"_index" : "logstash-2013.12.14",
"_type" : "fluentd",
"_id" : "L3zraX4jQFurtthZmJz1gA",
"_score" : 1.0, "_source" : {"hostname":"Opus-1","latency":817,
"port":"xe-0/0/4:1","queue depth":1021904,"record
type":"queue-stats","time":"Dec 13
19:47:26.587","_jnpr":"analyticsD.jnpr","@timestamp":"2013-12-13T19:47:26-08:00"}
}, {
"_index" : "logstash-2013.12.14",
"_type" : "fluentd",
"_id" : "kccm8UWaTXaUwxEuxn1Mbw",
"_score" : 1.0, "_source" : {"hostname":"Opus-1","latency":817,
"port":"xe-0/0/4:1","queue depth":1021904,"record
type":"queue-stats","time":"Dec 13
19:47:26.598","_jnpr":"analyticsD.jnpr","@timestamp":"2013-12-13T19:47:26-08:00"}
},]
},
"facets" : {
"tags" : {
"_type" : "terms",
"missing" : 0,
"total" : 316132,
"other" : 0,
"terms" : [ {
"term" : "xe",
"count" : 79033
}, {
"term" : "4",
"count" : 79033
}, {
"term" : "1",
"count" : 79033
}, {
"term" : "0",
"count" : 79033
} ]
}
}
}

as you can see the field port contains "xe-0/0/4:1", but the facets is
breaking it apart into subterms. I want it read as a single term
"xe-0/0/4:1". How do I do this?

Thank you

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/270bb8ce-c4c3-434c-9686-9bbf0a19b86c%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

2

It happens because your "port" is being analyzed by ES analyzer, it depends
on your mapping of course, but if you don't specify otherwise, then string
type fields are analyzed with the globally configured analyzer.
If you don't need to make queries on analyzed "port" field, you can set
"port": { "type": "string", "index": "not_analyzed" }, in your mapping
properties.

On Saturday, December 14, 2013 9:54:52 PM UTC+2, Jay Wilson wrote:

I do the following query curl -XPOST "
http://localhost:9200/_search?pretty=true" -d '
{
"query" : { "match_all" : {} },
"facets" : {
"tags" : { "terms" : { "field" : "port"} }
}
}
'

It gives me back results, but it doesn't read the field correctly. It is
breaking it into parts. Sample output snippet.
{
"took" : 184,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 79033,
"max_score" : 1.0,
"hits" : [ {
"_index" : "logstash-2013.12.14",
"_type" : "fluentd",
"_id" : "L3zraX4jQFurtthZmJz1gA",
"_score" : 1.0, "_source" : {"hostname":"Opus-1","latency":817,
"port":"xe-0/0/4:1","queue depth":1021904,"record
type":"queue-stats","time":"Dec 13
19:47:26.587","_jnpr":"analyticsD.jnpr","@timestamp":"2013-12-13T19:47:26-08:00"}
}, {
"_index" : "logstash-2013.12.14",
"_type" : "fluentd",
"_id" : "kccm8UWaTXaUwxEuxn1Mbw",
"_score" : 1.0, "_source" : {"hostname":"Opus-1","latency":817,
"port":"xe-0/0/4:1","queue depth":1021904,"record
type":"queue-stats","time":"Dec 13
19:47:26.598","_jnpr":"analyticsD.jnpr","@timestamp":"2013-12-13T19:47:26-08:00"}
},]
},
"facets" : {
"tags" : {
"_type" : "terms",
"missing" : 0,
"total" : 316132,
"other" : 0,
"terms" : [ {
"term" : "xe",
"count" : 79033
}, {
"term" : "4",
"count" : 79033
}, {
"term" : "1",
"count" : 79033
}, {
"term" : "0",
"count" : 79033
} ]
}
}
}

as you can see the field port contains "xe-0/0/4:1", but the facets is
breaking it apart into subterms. I want it read as a single term
"xe-0/0/4:1". How do I do this?

Thank you

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/af96dce3-619b-4442-8404-cc488010aca0%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

3

I created a default-mapping.json file in the config directory and placed
the following in it:

{
"logstash-2013.12.14" : {
"properties" : {
"port": { "type": "string", "index": "not_analyzed"
}
}
}
}

I restarted ES and no change in how "port" is processed. Thoughts?

On Saturday, December 14, 2013 1:23:48 PM UTC-7, Kaspars Sprogis wrote:

It happens because your "port" is being analyzed by ES analyzer, it
depends on your mapping of course, but if you don't specify otherwise, then
string type fields are analyzed with the globally configured analyzer.
If you don't need to make queries on analyzed "port" field, you can set
"port": { "type": "string", "index": "not_analyzed" }, in your mapping
properties.

On Saturday, December 14, 2013 9:54:52 PM UTC+2, Jay Wilson wrote:

I do the following query curl -XPOST "
http://localhost:9200/_search?pretty=true" -d '
{
"query" : { "match_all" : {} },
"facets" : {
"tags" : { "terms" : { "field" : "port"} }
}
}
'

It gives me back results, but it doesn't read the field correctly. It is
breaking it into parts. Sample output snippet.
{
"took" : 184,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 79033,
"max_score" : 1.0,
"hits" : [ {
"_index" : "logstash-2013.12.14",
"_type" : "fluentd",
"_id" : "L3zraX4jQFurtthZmJz1gA",
"_score" : 1.0, "_source" : {"hostname":"Opus-1","latency":817,
"port":"xe-0/0/4:1","queue depth":1021904,"record
type":"queue-stats","time":"Dec 13
19:47:26.587","_jnpr":"analyticsD.jnpr","@timestamp":"2013-12-13T19:47:26-08:00"}
}, {
"_index" : "logstash-2013.12.14",
"_type" : "fluentd",
"_id" : "kccm8UWaTXaUwxEuxn1Mbw",
"_score" : 1.0, "_source" : {"hostname":"Opus-1","latency":817,
"port":"xe-0/0/4:1","queue depth":1021904,"record
type":"queue-stats","time":"Dec 13
19:47:26.598","_jnpr":"analyticsD.jnpr","@timestamp":"2013-12-13T19:47:26-08:00"}
},]
},
"facets" : {
"tags" : {
"_type" : "terms",
"missing" : 0,
"total" : 316132,
"other" : 0,
"terms" : [ {
"term" : "xe",
"count" : 79033
}, {
"term" : "4",
"count" : 79033
}, {
"term" : "1",
"count" : 79033
}, {
"term" : "0",
"count" : 79033
} ]
}
}
}

as you can see the field port contains "xe-0/0/4:1", but the facets is
breaking it apart into subterms. I want it read as a single term
"xe-0/0/4:1". How do I do this?

Thank you

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/9be0dd6b-49f2-4cfb-ba28-92418da3364b%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

4

I have resolved the issue.

Thank you for the help.

On Saturday, December 14, 2013 7:38:55 PM UTC-7, Jay Wilson wrote:

I created a default-mapping.json file in the config directory and placed
the following in it:

{
"logstash-2013.12.14" : {
"properties" : {
"port": { "type": "string", "index":
"not_analyzed" }
}
}
}

I restarted ES and no change in how "port" is processed. Thoughts?

On Saturday, December 14, 2013 1:23:48 PM UTC-7, Kaspars Sprogis wrote:

It happens because your "port" is being analyzed by ES analyzer, it
depends on your mapping of course, but if you don't specify otherwise, then
string type fields are analyzed with the globally configured analyzer.
If you don't need to make queries on analyzed "port" field, you can set
"port": { "type": "string", "index": "not_analyzed" }, in your mapping
properties.

On Saturday, December 14, 2013 9:54:52 PM UTC+2, Jay Wilson wrote:

I do the following query curl -XPOST "
http://localhost:9200/_search?pretty=true" -d '
{
"query" : { "match_all" : {} },
"facets" : {
"tags" : { "terms" : { "field" : "port"} }
}
}
'

It gives me back results, but it doesn't read the field correctly. It is
breaking it into parts. Sample output snippet.
{
"took" : 184,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 79033,
"max_score" : 1.0,
"hits" : [ {
"_index" : "logstash-2013.12.14",
"_type" : "fluentd",
"_id" : "L3zraX4jQFurtthZmJz1gA",
"_score" : 1.0, "_source" : {"hostname":"Opus-1","latency":817,
"port":"xe-0/0/4:1","queue depth":1021904,"record
type":"queue-stats","time":"Dec 13
19:47:26.587","_jnpr":"analyticsD.jnpr","@timestamp":"2013-12-13T19:47:26-08:00"}
}, {
"_index" : "logstash-2013.12.14",
"_type" : "fluentd",
"_id" : "kccm8UWaTXaUwxEuxn1Mbw",
"_score" : 1.0, "_source" : {"hostname":"Opus-1","latency":817,
"port":"xe-0/0/4:1","queue depth":1021904,"record
type":"queue-stats","time":"Dec 13
19:47:26.598","_jnpr":"analyticsD.jnpr","@timestamp":"2013-12-13T19:47:26-08:00"}
},]
},
"facets" : {
"tags" : {
"_type" : "terms",
"missing" : 0,
"total" : 316132,
"other" : 0,
"terms" : [ {
"term" : "xe",
"count" : 79033
}, {
"term" : "4",
"count" : 79033
}, {
"term" : "1",
"count" : 79033
}, {
"term" : "0",
"count" : 79033
} ]
}
}
}

as you can see the field port contains "xe-0/0/4:1", but the facets is
breaking it apart into subterms. I want it read as a single term
"xe-0/0/4:1". How do I do this?

Thank you

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/6d243200-520f-45f7-948b-a17cf3ef155d%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.