Querying for inner json parameters

shaked571 · October 24, 2017, 2:53pm

HI everyone,
I am new in Kibana and i have some difficulties in my queries while using the Dev Tools.
I try to find a log according to his nested json and getting an Error back and i wish to know what I'm doing wrong
for example-for this log:
{
_ "index": "logstash-2017.10.20",
_ "type": "my_type",
_ "id": "AV86NYdT0q4wZ6aQFflk",
_ "score": 1,
_ "source": {
_ "offset": 4553353,_
_ "sourceTimestamp": "2017-10-20 08:13:42,583",_
_ "level": "INFO",_
_ "logger": "ExecuteProcessTaskExecutor",_
_ "input_type": "log",_
_ "source": "D:\log\A.[15400].log",_
_ "message": "[foo:17400]: 2017-10-20 08:13:42,582 [1] INFO ",_
_ "type": "SIMP - Scheduler",_
_ "tags": [_
_ "beats_input_codec_plain_applied"_
_ ],_
_ "@timestamp": "2017-10-20T14:31:48.017Z",_
_ "task": "Exec:17400:StdOut",_
_ "@version": "1",_
_ "beat": {_
_ "hostname": "A01",_
_ "name": "A01",_
_ "version": "5.3.0"_
_ },_
_ "host": "A01"_
_ }_
_ }_

i would like to find it according to his hostname or name.
but all the options i tried lead to an error or to 0 hits.

can anyone assist?

Thnax in advance!

tsullivan · October 24, 2017, 7:22pm

You can use a term query to find all the documents that match that host:

GET logstash-*/_search
{
  "query": {
    "term": {
      "beat.hostname": {
        "value": "A01"
      }
    }
  }
}

https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-term-query.html

shaked571 · October 25, 2017, 8:24am

great, thank you very much!
Followup question:
if I want to do a query for more specific document. in which I demand the log both will have hostname "A01"
and the type will be" my type."
(that's was my real intention - and the problem is occurred in the aggregation in my search -
for the type i used this query:

   "query": { 
       "bool":{
           "must": 
             {
              "term":{
              "_type": "my_type"
            }
        }
     }
   }
}

but i cant combine them.

edit:
I saw in the exception i got that:

[term] query doesn't support multiple fields

what search type does give me that option?

Thank you in advance!

tsullivan · October 25, 2017, 5:00pm

You are close. You have to use the array form of must:

{
  "query": {
    "bool": {
      "must": [
        {
          "term": {
            "_type": "my_type"
          }
        },
        {
          "term": {
            "hostname": "A01"
          }
        }
      ]
    }
  }
}

system · November 22, 2017, 5:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.