I use an url path//_search?q=message:aa.bb.cc.dd.ee.ff to searc for
macadresses in the folowing forms:
aabbccddeeff
AA-BB-CC-DD-EE-FF
aa:bb:cc:dd:ee:ff
Questions:
Can I capture all of these forms in one query, or should I use an OR
query with all thinkable combinations.
With a custom analyzer, you could index all three forms as tokens on this
field, and search for them without hassle (i.e. without expensive OR terms
in query or tedious ':' escaping)
Jörg
On Mon, May 19, 2014 at 11:02 AM, Bernard van de Koppel bernard@sipman.netwrote:
Hi,
I use an url path//_search?q=message:aa.bb.cc.dd.ee.ff to searc for
macadresses in the folowing forms:
aabbccddeeff
AA-BB-CC-DD-EE-FF
aa:bb:cc:dd:ee:ff
Questions:
Can I capture all of these forms in one query, or should I use an
OR query with all thinkable combinations.
With a custom analyzer, you could index all three forms as tokens on this
field, and search for them without hassle (i.e. without expensive OR terms
in query or tedious ':' escaping)
Jörg
On Mon, May 19, 2014 at 11:02 AM, Bernard van de Koppel < bernard@sipman.net> wrote:
Hi,
I use an url path//_search?q=message:aa.bb.cc.dd.ee.ff to searc for
macadresses in the folowing forms:
aabbccddeeff
AA-BB-CC-DD-EE-FF
aa:bb:cc:dd:ee:ff
Questions:
Can I capture all of these forms in one query, or should I use an
OR query with all thinkable combinations.
When trying to sen it with the escape sequence, I get an error (was first
blaming the lwp library in perl, but Chrome does the same):
{"error":"SearchPhaseExecutionException[Failed to execute phase [query],
all shards failed; shardFailures
{[V-BGingdTFqPYUopr8066Q][logstash-2014.05.19][0]:
SearchParseException[[logstash-2014.05.19][0]: from[-1],size[-1]: Parse
Failure [Failed to parse source
[{"query":{"query_string":{"query":"message:6c:62:6d:6b:1a:4f","lowercase_expanded_terms":true,"analyze_wildcard":false}}}]]];
nested: QueryParsingException[[logstash-2014.05.19] Failed to parse query
[message:6c:62:6d:6b:1a:4f]]; nested: ParseException[Cannot parse
'message:6c:62:6d:6b:1a:4f': Encountered " ":" ": "" at line 1,
column 10.\nWas expecting one of:\n \n ...\n
...\n ...\n "+" ...\n "-" ...\n ...\n
"(" ...\n "*" ...\n "^" ...\n ...\n
...\n <FUZZY_SLOP> ...\n ...\n ...\n
...\n "[" ...\n "{" ...\n ...\n ];
nested: ParseException[Encountered " ":" ": "" at line 1, column 10.\
The query was
somehost/elasticsearch/_search?q=message:6c%3A62%3A6d%3A6b%3A1a%3A4f
Op maandag 19 mei 2014 11:12:03 UTC+2 schreef Jörg Prante:
If you mean the colon escaping in the HTTP GET request, just use percent
escaping (%3A is a colon)
With a custom analyzer, you could index all three forms as tokens on this
field, and search for them without hassle (i.e. without expensive OR terms
in query or tedious ':' escaping)
Jörg
On Mon, May 19, 2014 at 11:02 AM, Bernard van de Koppel < ber...@sipman.net <javascript:>> wrote:
Hi,
I use an url path//_search?q=message:aa.bb.cc.dd.ee.ff to searc for
macadresses in the folowing forms:
aabbccddeeff
AA-BB-CC-DD-EE-FF
aa:bb:cc:dd:ee:ff
Questions:
Can I capture all of these forms in one query, or should I use an
OR query with all thinkable combinations.
I solved this one, with escaping the colon with backslashes (thought I
tried this earlier
/elasticsearch/_search?q=message:6c:62:6d:6b:1a:4f
Now figuring out why I get some results with mac's in different formats
Op maandag 19 mei 2014 13:40:09 UTC+2 schreef Bernard van de Koppel:
Hi Jorg,
When trying to sen it with the escape sequence, I get an error (was first
blaming the lwp library in perl, but Chrome does the same):
{"error":"SearchPhaseExecutionException[Failed to execute phase [query],
all shards failed; shardFailures
{[V-BGingdTFqPYUopr8066Q][logstash-2014.05.19][0]:
SearchParseException[[logstash-2014.05.19][0]: from[-1],size[-1]: Parse
Failure [Failed to parse source
[{"query":{"query_string":{"query":"message:6c:62:6d:6b:1a:4f","lowercase_expanded_terms":true,"analyze_wildcard":false}}}]]];
nested: QueryParsingException[[logstash-2014.05.19] Failed to parse query
[message:6c:62:6d:6b:1a:4f]]; nested: ParseException[Cannot parse
'message:6c:62:6d:6b:1a:4f': Encountered " ":" ": "" at line 1,
column 10.\nWas expecting one of:\n \n ...\n
...\n ...\n "+" ...\n "-" ...\n ...\n
"(" ...\n "*" ...\n "^" ...\n ...\n
...\n <FUZZY_SLOP> ...\n ...\n ...\n
...\n "[" ...\n "{" ...\n ...\n ];
nested: ParseException[Encountered " ":" ": "" at line 1, column 10.\
The query was
somehost/elasticsearch/_search?q=message:6c%3A62%3A6d%3A6b%3A1a%3A4f
Op maandag 19 mei 2014 11:12:03 UTC+2 schreef Jörg Prante:
If you mean the colon escaping in the HTTP GET request, just use percent
escaping (%3A is a colon)
With a custom analyzer, you could index all three forms as tokens on
this field, and search for them without hassle (i.e. without expensive OR
terms in query or tedious ':' escaping)
Jörg
On Mon, May 19, 2014 at 11:02 AM, Bernard van de Koppel < ber...@sipman.net> wrote:
Hi,
I use an url path//_search?q=message:aa.bb.cc.dd.ee.ff to searc for
macadresses in the folowing forms:
aabbccddeeff
AA-BB-CC-DD-EE-FF
aa:bb:cc:dd:ee:ff
Questions:
Can I capture all of these forms in one query, or should I use
an OR query with all thinkable combinations.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
