Terms Filter Assistance

Elastic Stack Elasticsearch
1

We have 2 indices (logs & intel) and are trying to search 2 fields in the
logs index (src & dst) for any match from the intel ip field. The challenge
is the terms filter is expecting 1 document with all the values to be
searched for within that document. The intel index has over 150k documents.

Is there a way to extract the ip field from the intel index (aggregations
maybe) and use that to search the src & dst fields in the logs index?

Here is the code I am trying to use:

curl -XGET localhost:9200/logs/_search -d '{
"query" : {
"filtered" : {
"filter" : {
"terms" : {
"src" : {
"index" : "intel",
"type" : "ipaddress",
"id" : "*",
"path" : "ip"
},

      "dst" : {
        "index" : "intel",
        "type" : "ipaddress",
        "id" : "*",
        "path" : "ip"
      },

    }
  }
}

}
}

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/b2d9d8c9-4747-4cb6-badc-4752345544dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

2

You are trying to perform a join. The closest things to a join that
elasticsearch has are nested documents (index-time joins) and parent/child
relationships (search-time joins). However, I don't think any of these
solutions would work out of the box for you since your are trying to join
on two fields at the same time.

On Wed, Aug 20, 2014 at 10:40 PM, Brian brianb2@gmail.com wrote:

We have 2 indices (logs & intel) and are trying to search 2 fields in the
logs index (src & dst) for any match from the intel ip field. The challenge
is the terms filter is expecting 1 document with all the values to be
searched for within that document. The intel index has over 150k documents.

Is there a way to extract the ip field from the intel index (aggregations
maybe) and use that to search the src & dst fields in the logs index?

Here is the code I am trying to use:

curl -XGET localhost:9200/logs/_search -d '{
"query" : {
"filtered" : {
"filter" : {
"terms" : {
"src" : {
"index" : "intel",
"type" : "ipaddress",
"id" : "*",
"path" : "ip"
},

      "dst" : {
        "index" : "intel",
        "type" : "ipaddress",
        "id" : "*",
        "path" : "ip"
      },

    }
  }
}

}
}

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/b2d9d8c9-4747-4cb6-badc-4752345544dc%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/b2d9d8c9-4747-4cb6-badc-4752345544dc%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
Adrien Grand

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAL6Z4j7t8p7Z%3Dob4FeRH1cw0M0eUUa%2BB8-1-bgaui9AiAaNOsg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.