Search multi match query in Elasticsearch

hatienkma · January 13, 2017, 3:53am

Hello,

I use elasticsearch-php v2.x.

My maps here:

    {
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 176983,
    "max_score" : 1.0,
    "hits" : [ {
      "_index" : "database",
      "_type" : "tables",
      "_id" : "AVmUu_A8gAQ0IJKvU53b",
      "_score" : 1.0,
      "_source" : {
        "timeattack" : "2017-01-11 00:00:23",
        "ip" : "8.8.8.8",
        "asn" : "12345",
        "url" : "POST /aum/api/1/ HTTP/1.1",
        "virus" : "ghost-push",
        "src_port" : "38897",
        "dst_port" : "80",
        "http_host" : "u.amobisc.com",
        "dst_ip" : "23.55.12.12",
        "updated" : "2017-01-13 05:11:01",
        "active" : "0",
        "loai" : "HTTP Sinkhole6"
      }
    }, {

Now i want to select all records have:

active = 0
ip = 8.8.8.8 or ip = 9.9.9.9 or asn = 12345

I have read this and this but not success.

This is my query:

require "app/init.php";

$indexDB = "database";
$typeDB = "tables";
$params = [
    "index" => $indexDB,
    "type" => $typeDB,
    "size" => 100,
    "body" => [
        "query" => [
            "constant_score" => [
                "filter" => [
                    "bool" => [
                        "should" => [
                            "term" => [ "asn" => "12345"],
                            "term" => [ "ip" => "8.8.8.8"],
                            "term" => [ "ip" => "9.9.9.9"]
                        ],
                        "must" => [
                            "term" => [ "active" => "0"]
                        ]
                    ]
                ]
            ]
        ]
    ]
];


$results = $client->search($params);
echo "<pre>";
var_dump($results);

Can you show me my problem?

My Skype: tien.hv

froest2012 · January 13, 2017, 6:35am

you should give the mappings of the index “database”

原始邮件
发件人:Ha Van Tienelastic@discoursemail.com
收件人:972994718972994718@qq.com
发送时间:2017年1月13日(周五) 12:03
主题:[Elasticsearch] Search multi match query in Elasticsearch

hatienkma Ha Van Tien
January 13
Hello,
I use elasticsearch-php v2.x.
My maps here:
{ "took" : 2, "timed_out" : false, "_shards" : { "total" : 5, "successful" : 5, "failed" : 0 }, "hits" : { "total" : 176983, "max_score" : 1.0, "hits" : [ { "_index" : "database", "_type" : "tables", "_id" : "AVmUu_A8gAQ0IJKvU53b", "_score" : 1.0, "_source" : { "timeattack" : "2017-01-11 00:00:23", "ip" : "8.8.8.8", "asn" : "12345", "url" : "POST /aum/api/1/ HTTP/1.1", "virus" : "ghost-push", "src_port" : "38897", "dst_port" : "80", "http_host" : "u.amobisc.com", "dst_ip" : "23.55.12.12", "updated" : "2017-01-13 05:11:01", "active" : "0", "loai" : "HTTP Sinkhole6" } }, {
Now i want to select all records have:

active = 0
ip = 8.8.8.8 or ip = 9.9.9.9 or asn = 12345
I have read this and this but not success.
This is my query:
require "app/init.php"; $indexDB = "database"; $typeDB = "tables"; $params = [ "index" = $indexDB, "type" = $typeDB, "size" = 100, "body" = [ "query" = [ "constant_score" = [ "filter" = [ "bool" = [ "should" = [ "term" = [ "asn" = "12345"], "term" = [ "ip" = "8.8.8.8"], "term" = [ "ip" = "9.9.9.9"] ], "must" = [ "term" = [ "active" = "0"] ] ] ] ] ] ] ]; $results = $client-search($params); echo "pre"; var_dump($results);
Can you show me my problem?
My Skype: tien.hv
Visit Topic or reply to this email to respond.
To unsubscribe from these emails, click here.

hatienkma · January 13, 2017, 6:50am

Hello,

Thanks for your reply.

This is my mappings:

{
  "database" : {
    "mappings" : {
      "tables" : {
        "properties" : {
          "asn" : {
            "type" : "string"
          },
          "dst_ip" : {
            "type" : "string"
          },
          "dst_port" : {
            "type" : "string"
          },
          "ip" : {
            "type" : "string"
          },
          "active" : {
            "type" : "string"
          },
          "timeattack" : {
            "type" : "string"
          },
          "url" : {
            "type" : "string"
          },
          "virus" : {
            "type" : "string"
          }
        }
      }
    }
  }
}

littlepoint · January 18, 2017, 8:00am

what about adding one more line: "minimum_should_match": 1 ?

froest2012 · January 19, 2017, 8:21am

{
"query": {
"bool": {
"must": [
{
"term": {
"active": "0"
}
}
],
"should": [
{
"term": {
"ip": "8.8.8.8"
}
},
{
"term": {
"ip": "9.9.9.9"
}
},
{
"term": {
"asn": "12345"
}
}
]
}
},
"from": 0,
"size": 10,
"sort": [],
"aggs": {}
}

use the query above , I can query docs with this query, maybe you should install the plugin of head

原始邮件
发件人:何之真elastic@discoursemail.com
收件人:972994718972994718@qq.com
发送时间:2017年1月18日(周三) 16:10
主题:[Elasticsearch] Search multi match query in Elasticsearch

littlepoint 何之真
January 18
what about adding one more line: "minimum_should_match": 1 ?
Visit Topic or reply to this email to respond.
To unsubscribe from these emails, click here.

xavierfacq · January 19, 2017, 8:29am

Hi,

I think that all your fields are analyzed, so the term query cannot be apply here. You
must set the mapping to the IP field to : "index": "not_analyzed"

Read: https://www.elastic.co/guide/en/elasticsearch/reference/2.4/mapping.html

system · February 16, 2017, 8:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.