Hi,
I have simple data (just 2 rows from the Apache log):
{
"message" => "199.201.64.129 - - [19/Aug/2015:07:06:25 +0800] "GET /v2/brands/12 HTTP/1.1" 200 1031 "-" "Mode/2.0.7 (iPhone Simulator; iOS 8.3; Scale/2.00)"",
"@version" => "1",
"@timestamp" => "2015-08-18T23:06:25.000Z",
"host" => "zhaoweiweideMacBook-Pro.local",
"path" => "/Users/zhaoweiwei/logs/test/testLog.log",
"clientip" => "199.201.64.129",
"ident" => "-",
"auth" => "-",
"timestamp" => "19/Aug/2015:07:06:25 +0800",
"verb" => "GET",
"request" => "/v2/brands/12",
"httpversion" => "1.1",
"response" => "200",
"bytes" => "1031",
"referrer" => ""-"",
"agent" => ""Mode/2.0.7 (iPhone Simulator; iOS 8.3; Scale/2.00)""
}
{
"message" => "211.144.202.170 - - [20/Aug/2015:07:06:25 +0800] "GET /v2/brands/12 HTTP/1.1" 200 1031 "-" "Mode/2.0.7 (iPhone Simulator; iOS 8.3; Scale/2.00)"",
"@version" => "1",
"@timestamp" => "2015-08-19T23:06:25.000Z",
"host" => "zhaoweiweideMacBook-Pro.local",
"path" => "/Users/zhaoweiwei/logs/test/testLog.log",
"clientip" => "211.144.202.170",
"ident" => "-",
"auth" => "-",
"timestamp" => "20/Aug/2015:07:06:25 +0800",
"verb" => "GET",
"request" => "/v2/brands/12",
"httpversion" => "1.1",
"response" => "200",
"bytes" => "1031",
"referrer" => ""-"",
"agent" => ""Mode/2.0.7 (iPhone Simulator; iOS 8.3; Scale/2.00)""
}
I want to get distinct client ip in a date range, So I execute the below query:
curl -XGET 'http://localhost:9200/logstash-*/_search?search_type=count' -d '
{
"query": {
"filtered": {
"query": {
"match_all": {}
},
"filter": {
"range": {
"timestamp": {
"gte": "2015-08-01 00:00:00",
"lte": "2015-08-31 00:00:00",
"format": "yyyy-MM-dd HH:mm:ss",
"time_zone": "+8:00"
}
}
}
}
},
"aggs": {
"group_by_device_id": {
"terms": {
"field": "clientip"
}
}
}
}'
it works well and I can get the value. But when I added 'Add' filter to above query, I can't get the value:
curl -XGET 'http://localhost:9200/logstash-*/_search?search_type=count' -d '
{
"query": {
"filtered": {
"query": {
"match_all": {}
},
"filter": {
"and" : [
{
"range": {
"timestamp": {
"gte": "2015-08-01 00:00:00",
"lte": "2015-08-31 00:00:00",
"format": "yyyy-MM-dd HH:mm:ss",
"time_zone": "+8:00"
}
}
},
{"prefix": {"request": "/v2/brands"}
}
]
}
}
},
"aggs": {
"group_by_device_id": {
"terms": {
"field": "clientip"
}
}
}
}'
What's wrong about my query? Thanks in advance!