Query or Index problem, please help

Elastic Stack Elasticsearch
5

David,
my index was created using logstash with Grok filter (see below) using our
logs as a stream in stdin.
I showed the index in my first message. When I am trying to search on
fields (no matter which field) it results in

{"took":2,"timed_out":false,"_shards":{"total":5,"successful":5,"failed":0},"hits":{"total":0,"max_score":null,"hits":}}

Please let me know what info is missing to provide you with.

Filter I use when creating the index:

filter{
grok{
match=>[
"message",

"(?:?|&)C=%{DATA:kw}&%{DATA}\sT\s%{DATA:town}\sS\s%{WORD:state}\s%{DATA}%{IP:ip}"
]
}
grok{
match=>[
"message",
"(?:?|&)SRC=%{DATA:src}(?:&|$)"
]
}
}
output {
elasticsearch {
host => localhost
}
stdout { codec => rubydebug }
}

On Tuesday, August 19, 2014 9:43:23 AM UTC-4, David Pilato wrote:

Have a look at Elasticsearch Platform — Find real-time answers at scale | Elastic

We can probably help you if we understand what exactly you are doing.

IN could be an english stop word BTW (which is filtered by standard
analyzer on some elasticsearch versions).

--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet https://twitter.com/dadoonet | @elasticsearchfr
https://twitter.com/elasticsearchfr

Le 19 août 2014 à 15:40:20, vitaly (vitaly....@gmail.com <javascript:>) a
écrit:

David, my question is what I am doing wrong.

Also when I do URI search
http://:9200/_search?q="state:IN"
I am getting 0 results

{"took":2,"timed_out":false,"_shards":{"total":5,"successful":5,"failed":0},"hits":{"total":0,"max_score":null,"hits":}}

What I could do wrong?

On Tuesday, August 19, 2014 9:20:43 AM UTC-4, David Pilato wrote:

I don't really understand the question but I'd say that you should use
Marvel / Sense.
It has a better support for running queries.

 --

David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet https://twitter.com/dadoonet | @elasticsearchfr
https://twitter.com/elasticsearchfr

Le 19 août 2014 à 15:10:25, vitaly (vitaly....@gmail.com) a écrit:

Using elasticsearch-head I do query
{
"query": {
"term": {
"NONSENSE":"NONSENSE"
}
}
}
The result shows the entire set no matter what I type in "term"
{

  • took: 2
  • timed_out: false
  • _shards: {
    • total: 5
    • successful: 5
    • failed: 0
      }
  • hits: {
    • total: 10
    • max_score: 1
    • hits: [
      • {
        • _index: logstash-2014.08.18
        • _type: logs
        • _id: SMUgTGR9R-2SVaL1GTeX9A
        • _score: 1
        • _source: {
          • message: ......
          • @version: 1
          • @timestamp: 2014-08-18T16:16:48.797Z
          • host: .........
          • kw: area a realty
          • town: South Bend
          • state: IN
          • ip: 198.64.136.68
          • src: ve-whitepages-dt
            }
            }
      • {
        • _index: logstash-2014.08.18
        • _type: logs
        • _id: yWR6DC9sQ2yAqxG9FJXauw
        • _score: 1
        • _source: {
          • message: ......
          • @version: 1
          • @timestamp: 2014-08-18T16:16:48.797Z
          • host: .......
          • kw: Doors
          • town: Chicago
          • state: IL
          • ip: 98.213.210.163
          • src: lsxppc21611
            }
            }
      • {
        • _index: logstash-2014.08.18
        • _type: logs
        • _id: Z_e-DQQkSv2ON1ar1WooSQ
        • _score: 1
        • _source: {
          • message: .......
          • @version: 1
          • @timestamp: 2014-08-18T16:16:48.797Z
          • host: .......
          • kw: home improvement
          • town: Clarkston
          • state: GA
          • ip: 172.56.1.181
          • src: lsxppc19735
            }
            }

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/4ee5fa39-804b-4b48-9b76-21225daa9c35%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/4ee5fa39-804b-4b48-9b76-21225daa9c35%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/4ff89a22-7d5b-4843-a12c-eaeafc5df8ed%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/4ff89a22-7d5b-4843-a12c-eaeafc5df8ed%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/03b35e5b-cbf3-4211-adb4-b9de5625f6c3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.