Question about 'And' filter


(peter) #1

Hi,

I have simple data (just 2 rows from the Apache log):
{
"message" => "199.201.64.129 - - [19/Aug/2015:07:06:25 +0800] "GET /v2/brands/12 HTTP/1.1" 200 1031 "-" "Mode/2.0.7 (iPhone Simulator; iOS 8.3; Scale/2.00)"",
"@version" => "1",
"@timestamp" => "2015-08-18T23:06:25.000Z",
"host" => "zhaoweiweideMacBook-Pro.local",
"path" => "/Users/zhaoweiwei/logs/test/testLog.log",
"clientip" => "199.201.64.129",
"ident" => "-",
"auth" => "-",
"timestamp" => "19/Aug/2015:07:06:25 +0800",
"verb" => "GET",
"request" => "/v2/brands/12",
"httpversion" => "1.1",
"response" => "200",
"bytes" => "1031",
"referrer" => ""-"",
"agent" => ""Mode/2.0.7 (iPhone Simulator; iOS 8.3; Scale/2.00)""
}
{
"message" => "211.144.202.170 - - [20/Aug/2015:07:06:25 +0800] "GET /v2/brands/12 HTTP/1.1" 200 1031 "-" "Mode/2.0.7 (iPhone Simulator; iOS 8.3; Scale/2.00)"",
"@version" => "1",
"@timestamp" => "2015-08-19T23:06:25.000Z",
"host" => "zhaoweiweideMacBook-Pro.local",
"path" => "/Users/zhaoweiwei/logs/test/testLog.log",
"clientip" => "211.144.202.170",
"ident" => "-",
"auth" => "-",
"timestamp" => "20/Aug/2015:07:06:25 +0800",
"verb" => "GET",
"request" => "/v2/brands/12",
"httpversion" => "1.1",
"response" => "200",
"bytes" => "1031",
"referrer" => ""-"",
"agent" => ""Mode/2.0.7 (iPhone Simulator; iOS 8.3; Scale/2.00)""
}

I want to get distinct client ip in a date range, So I execute the below query:
curl -XGET 'http://localhost:9200/logstash-*/_search?search_type=count' -d '
{
"query": {
"filtered": {
"query": {
"match_all": {}
},
"filter": {
"range": {
"timestamp": {
"gte": "2015-08-01 00:00:00",
"lte": "2015-08-31 00:00:00",
"format": "yyyy-MM-dd HH:mm:ss",
"time_zone": "+8:00"
}
}
}
}
},
"aggs": {
"group_by_device_id": {
"terms": {
"field": "clientip"
}
}
}
}'

it works well and I can get the value. But when I added 'Add' filter to above query, I can't get the value:

curl -XGET 'http://localhost:9200/logstash-*/_search?search_type=count' -d '
{
"query": {
"filtered": {
"query": {
"match_all": {}
},
"filter": {
"and" : [
{
"range": {
"timestamp": {
"gte": "2015-08-01 00:00:00",
"lte": "2015-08-31 00:00:00",
"format": "yyyy-MM-dd HH:mm:ss",
"time_zone": "+8:00"
}
}
},
{"prefix": {"request": "/v2/brands"}
}
]

        }
    }
},
"aggs": {
    "group_by_device_id": {
        "terms": {
            "field": "clientip"
        }
    }
}

}'

What's wrong about my query? Thanks in advance!


(Luca Cavanna) #2

Hi,
do you mean that when you add the second filter you don't get back any aggregation entry anymore? But do you still get back search results?

Can you also post the mapping for the request field please?


(peter) #3

Thanks for reply, I have fixed issue by set "request" field to not_analyzed in the mapping.


(system) #4