Query from ES 2.3 to 5.5

Elastic Stack Elasticsearch
1

We're upgrading from ELK 2.3 to ELK 5.5, I'm trying to make this query work, tried to follow the query changes from ES 2.3 to 5.5 but every time I tweak something in it, different errors came up. Maybe someone can help me edit/translate these queries?

This is the original query and the error I got when I ran it in ES 5.5

image.png976×436 16.9 KB

So I changed "filtered" to "bool" based on this changes --->

But I still get error...

image.png976×436 16.9 KB

Then I tried to remove "bool" and "query" under "query" clause:

image.png1174×357 17.4 KB

I don't know where to go from here.
Thanks in advance!

2

Please don't post pictures of text, they are difficult to read and some people may not be even able to see them :slight_smile:
Are you able to repost the text, making sure it's code formatted?

3

Sorry for that. Here are the codes:

Original Query:

    GET <index_name>/_search
    {
      "from": 0,
      "size": 5,
      "query": {
        "filtered": {
          "query": {
            "regexp": {
              "message": ".*reprocess costing data count = [1-9][0-9]*.*"
            }
          },
          "filter": {
            "bool": {
              "must": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-15m"
                    }
                  }
                }
              ],
              "must_not": []
            }
          }
        }
      }
    }

Error:

{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "no [query] registered for [filtered]",
        "line": 5,
        "col": 17
      }
    ],
    "type": "parsing_exception",
    "reason": "no [query] registered for [filtered]",
    "line": 5,
    "col": 17
  },
  "status": 400
}

Then changed "filtered" with "bool"(query clause):

GET <index_name>/_search
{
  "from": 0,
  "size": 5,
  "query": {
    "bool": {
      "query": {
        "regexp": {
          "message": ".*reprocess costing data count = [1-9][0-9]*.*"
        }
      },
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "@timestamp": {
                  "gte": "now-15m"
                }
              }
            }
          ],
          "must_not": []
        }
      }
    }
  }
}

Error 2:

{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "[bool] query does not support [query]",
        "line": 6,
        "col": 16
      }
    ],
    "type": "parsing_exception",
    "reason": "[bool] query does not support [query]",
    "line": 6,
    "col": 16
  },
  "status": 400
}

Removed "bool" & "query" under "query" clause:

GET <index_name>/_search
{
  "from": 0,
  "size": 5,
  "query": {
    "regexp": {
      "message": ".*reprocess costing data count = [1-9][0-9]*.*"
    }
  },
  "filter": {
    "bool": {
      "must": [
        {
          "range": {
            "@timestamp": {
              "gte": "now-15m"
            }
          }
        }
      ],
      "must_not": []
    }
  }
}

Error 3:

{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "Unknown key for a START_OBJECT in [filter].",
        "line": 7,
        "col": 13
      }
    ],
    "type": "parsing_exception",
    "reason": "Unknown key for a START_OBJECT in [filter].",
    "line": 7,
    "col": 13
  },
  "status": 400
}
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.