Elasticsearch query with different fields
Question
here an exemple of my documents
{
"@timestamp": "2020-04-24T19:36:52.484Z",
"token": "123",
"application": "sso_api_v3",
"ssoapiv3_method": "GET",
"ssoapiv3_error_description": "Your access token has expired",
"code": 401,
"message": "\"message\"",
"level": 6,
"facility": "sso_api_v3",
"type": "gelf"
}
[...]
{
"@timestamp": "2020-04-24T19:37:52.484Z",
"token": "123",
"application": "sso_api_v3",
"ssoapiv3_method": "GET",
"ssoapiv3_error_description": "Your access token has expired",
"code": 200,
"message": "\"message\"",
"level": 6,
"facility": "sso_api_v3",
"type": "gelf"
}
[...]
I have a huge amount of request and I would like to do a search in order to get documents with the same token but but with code 200 and 401. I can get all 200, all 401 but I'm unable to have this for the same token.
1 answers
solution1
1 2020-04-30 07:58:06
There are two way to do this.
Query:
{
"size": 0,
"aggs": {
"code": {
"filter": {
"terms": {
"code": [
200,401 --> returns all documengts with code 200 / 401
]
}
},
"aggs": {
"token": { --> creates group of tokens and fetched doc under each
"terms": {
"field": "token.keyword",
"size": 10
},
"aggs": {
"docs": {
"top_hits": {
"size": 10
}
}
}
}
}
}
}
}
Result:
"aggregations" : {
"code" : {
"doc_count" : 1,
"token" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "123",
"doc_count" : 1,
"docs" : {
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "index9",
"_type" : "_doc",
"_id" : "16UKynEBAWHHnYGORq-d",
"_score" : 1.0,
"_source" : {
"@timestamp" : "2020-04-24T19:36:52.484Z",
"token" : "123",
"application" : "sso_api_v3",
"ssoapiv3_method" : "GET",
"ssoapiv3_error_description" : "Your access token has expired",
"code" : 401,
"message" : """"message"""",
"level" : 6,
"facility" : "sso_api_v3",
"type" : "gelf"
}
}
]
}
}
}
]
}
}
}
Returns top 1 document on a group field. You can get other documents under that group using inner_hits
Query:
{
"query": {
"terms": {
"code": [
200,
401
]
}
},
"collapse": {
"field": "token.keyword",
"inner_hits": {
"name": "docs",
"size": 10,
"sort": [{ "@timestamp": "asc" }]
}
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Different relevance of fields in elasticsearch query
Elasticsearch: different queries on different fields in a single query
Elasticsearch query different fields with different weight
Query based on Fields existing in different Indices in Elasticsearch
Search query with two different fields in elasticsearch
elasticsearch query string analyzer for different fields with different analyzers
elasticsearch: different results between _all and fields query string query
Elasticsearch multi-match cross fields query with different query analyzers
How to find equal values in different fields in Elasticsearch via Python Query?
elasticsearch how to query with two different fields with data range
Related Tags