With what you sent, I can not reproduce easily your problem: launch elasticsearch, launch a script and that is.
So, basically, try to provide a script which can be played as explained in the help page.
--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet | @elasticsearchfr
Le 19 août 2014 à 16:35:01, vitaly (vitaly.bulgakov@gmail.com) a écrit:
David,
my index was created using logstash with Grok filter (see below) using our logs as a stream in stdin.
I showed the index in my first message. When I am trying to search on fields (no matter which field) it results in
{"took":2,"timed_out":false,"_shards":{"total":5,"successful":5,"failed":0},"hits":{"total":0,"max_score":null,"hits":[]}}
Please let me know what info is missing to provide you with.
Filter I use when creating the index:
filter{
grok{
match=>[
"message",
"(?:?|&)C=%{DATA:kw}&%{DATA}\sT\s%{DATA:town}\sS\s%{WORD:state}\s%{DATA}%{IP:ip}"
]
}
grok{
match=>[
"message",
"(?:?|&)SRC=%{DATA:src}(?:&|$)"
]
}
}
output {
elasticsearch {
host => localhost
}
stdout { codec => rubydebug }
}
On Tuesday, August 19, 2014 9:43:23 AM UTC-4, David Pilato wrote:
Have a look at http://www.elasticsearch.org/help/
We can probably help you if we understand what exactly you are doing.
IN could be an english stop word BTW (which is filtered by standard analyzer on some elasticsearch versions).
--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet | @elasticsearchfr
Le 19 août 2014 à 15:40:20, vitaly (vitaly....@gmail.com) a écrit:
David, my question is what I am doing wrong.
Also when I do URI search
http://:9200/_search?q="state:IN"
I am getting 0 results
{"took":2,"timed_out":false,"_shards":{"total":5,"successful":5,"failed":0},"hits":{"total":0,"max_score":null,"hits":[]}}
What I could do wrong?
On Tuesday, August 19, 2014 9:20:43 AM UTC-4, David Pilato wrote:
I don't really understand the question but I'd say that you should use Marvel / Sense.
It has a better support for running queries.
--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet | @elasticsearchfr
Le 19 août 2014 à 15:10:25, vitaly (vitaly....@gmail.com) a écrit:
Using elasticsearch-head I do query
{
"query": {
"term": {
"NONSENSE":"NONSENSE"
}
}
}
The result shows the entire set no matter what I type in "term"
{
took: 2
timed_out: false
_shards: {
total: 5
successful: 5
failed: 0
}
hits: {
total: 10
max_score: 1
hits: [
{
_index: logstash-2014.08.18
_type: logs
_id: SMUgTGR9R-2SVaL1GTeX9A
_score: 1
_source: {
message: ......
@version: 1
@timestamp: 2014-08-18T16:16:48.797Z
host: .........
kw: area a realty
town: South Bend
state: IN
ip: 198.64.136.68
src: ve-whitepages-dt
}
}
{
_index: logstash-2014.08.18
_type: logs
_id: yWR6DC9sQ2yAqxG9FJXauw
_score: 1
_source: {
message: ......
@version: 1
@timestamp: 2014-08-18T16:16:48.797Z
host: .......
kw: Doors
town: Chicago
state: IL
ip: 98.213.210.163
src: lsxppc21611
}
}
{
_index: logstash-2014.08.18
_type: logs
_id: Z_e-DQQkSv2ON1ar1WooSQ
_score: 1
_source: {
message: .......
@version: 1
@timestamp: 2014-08-18T16:16:48.797Z
host: .......
kw: home improvement
town: Clarkston
state: GA
ip: 172.56.1.181
src: lsxppc19735
}
}
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/03b35e5b-cbf3-4211-adb4-b9de5625f6c3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/etPan.53f374c8.440badfc.132%40MacBook-Air-de-David.local.
For more options, visit https://groups.google.com/d/optout.