Query parse error

voipoclay · March 25, 2016, 9:56pm

I was wondering why one query works and other doesnt. The top one gives me a parse error.

does not work:

{
	"query": {
		"filtered": {
			"query": {
				"query_string": {
					"query": "*",
					"analyze_wildcard": true
				}
			},
			"filter": {
				"bool": {
					"must": {
						"0": {
							"range": {
								"@timestamp": {
									"gte": "now-30d/d",
									"lte": "now",
									"format": "yyyy-MM-dd HH:mm:ss"
								}
							}
						}
					}
				}
			}
		}
	}
}

Works:

{
	"query": {
		"filtered": {
			"query": {
				"query_string": {
					"query": "*",
					"analyze_wildcard": true
				}
			},
			"filter": {
				"bool": {
					"must": [{
						"range": {
							"@timestamp": {
								"gte": "now-30d/d",
								"lte": "now",
								"format": "yyyy-MM-dd HH:mm:ss"
							}
						}
					}]
				}
			}
		}
	}
}

Glen_Smith · March 25, 2016, 10:15pm

Clay,

The first query is malformed.

What does the parse error say?

Glen

voipoclay · March 26, 2016, 12:06am

{
   "error": {
      "root_cause": [
         {
            "type": "query_parsing_exception",
            "reason": "No query registered for [0]",
            "index": "channelhangup2-2016.03.10",
            "line": 13,
            "col": 19
         }
  }
}

A bunch of times for each index over the range. Shouldn't ES just strip out the "0" ?

Glen_Smith · March 26, 2016, 12:53am

Clay,

No. That's not a valid construction of a must clause. You should use the one that works.

Glen