Query syntax?

Hello,

I need to extract certain records from logs and make some grouping based on some fields. It requires that a substring based on regexp is extracted from one of the fields to allow grouping.

After some googling I thought of creating a query having filter condition like "this field exists" and "other field equals to some string", the latter field being preprocessed during the query by some Painless script.

However after reading the doc regarding query syntax back and forth I am still not able to get even just the "this field exists" and "a field equals some fixed string" simple query working (without a script). The doc and the "hello world" examples do not cover such case and any attempts to intuitively combine them into this "this field exists" and "a field equals some fixed string" simple query failed.

Anyone insane enough to understand the syntax who could help?

Care to share what you tried so far?

Potentially you can use the exists query instead of implementing your own script for that, as that would be a massive speed gain.

Also, runtime fields might be a good candidate for what you want to do, by splitting your data but be able to run queries and aggregations as if it was stored in its own field.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.