Search API Questions

Hi, I'm trying to search through my elasticsearch instance with the GET API, and I'm able to do most of what I want. I wasn't able to find any information on my one question though, so hoping someone could help me with this.

Currently when I run the following in my browser:

"http://logd1svrus:9200/logstash-2016.04.29/log4net/_search?size=100000&q=applicationName:AX&?human&pretty"

I'm able to get the results that I want. What I would like to do though, is add an additional field to my query, so rather than just finding everything that belongs to the application name AX, I would also like to be able to put a time range, or an additional field. Is it possible to do this through the Web API? I've tried things like q=applicationName:AX&environment:Production, but this doesn't give me the results I'm looking for.

Thanks!

Hi,

For the URI search you are using when sending requests through the _search endpoint, the query is mapped to the Query String Query. The syntax gives you some options, like using AND/OR or even range queries, but using the URI parameter for complex queries usually gets tricky with escaping etc..., so I'd always say using the json Query DSL is usually the better option.

Did you know that for Kibana 4.2. there is a handy plugin called Sense that gives you a nice UI for playing with more complex queries, including an auto-complete feature and nice formatting of the response?

Hope this helps.

I'd use the QueryDSL instead. Much more flexible than using parameters.

GET index/_search
{
  "query": { 
    // Query goes here
  }
}

BTW size=100000 is not a good idea and will be rejected in the near future. IIRC the default maximum size for deep pagination is now 10000. Unsure though.

I'll take a look at it, I used another application that was similar, but the results were not accessible to me in a format that I could use. I'm using powershell from a windows box to pull the results in and format them.

I'll give it a try.

I know that it will return up to at least 40k, which is how many records I've been looking at lately. I'm not really interested in search performance, but rather being able to get all the records. If it's going to be removed I'll have to figure out queryDSL and get it working with my current implementation.

Thanks.

For those cases, definately make sure to take a look at the Scroll API that is designed to return a large number of results.