CODEWITHSUNDEEP
elasticsearch
Amith Gopal
Amith Gopal

Reputation: 173

Searching for Records in ElasticSearch based on keys in the "_source" field

I have the records in the elasticsearch in this format:

 {
      "_index" : "feb14",
      "_type" : "apache_access",
      "_id" : "1EONaxeVR1-drG0EeQv2QA",
      "_score" : 1.0,
      "_source":{"message":"8.8.8.8 - kurt [18/May/2011:01:48:10 -0700] \"GET /admin HTTP/1.1\" 301 566 \"-\" \"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3\"","@version":"1","@timestamp":"2011-05-18T08:48:10.000Z","host":"amith-Dell-System-XPS-L502X","path":"/home/amith/Desktop/logstash-1.4.2/accesslog3","type":"apache_access","clientip":"8.8.8.8","ident":"-","auth":"kurt","timestamp":"18/May/2011:01:48:10 -0700","verb":"GET","request":"/admin","httpversion":"1.1","response":"301","bytes":"566","referrer":"\"-\"","agent":"\"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3\""}
    }

I need to filter the records based on a field in the "_source" part of the record.Can anyone please tell me how can I do that?

I have looked into search api's and scripting in elasticsearch.But I am not able combine them to obtain the result.

Upvotes: 0

Views: 234

Answers (2)

skgemini
skgemini

Reputation: 620

If I am reading your JSON structure correctly "response": "301" field is a nested field inside the _source field. You can query by using any of the nested fields inside _source, by mapping _source as nested object.

> > {
>     "nested" : {
>         "path" : "obj1",
>         "query" : {
>             "bool" : {
>                 "must" : [
>                     {
>                         "match" : {"_source.response" : "301"}
>                     }
>                 ]
>             }
>         }
>     } }

Have a look at mapping nested objects and nested queries:

http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-nested-query.html

Map _source as nested object: http://www.elasticsearch.org/guide/en/elasticsearch/guide/current/nested-mapping.html

Upvotes: 0

Shimrra
Shimrra

Reputation: 273

You can use http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html

eg : You can search "Mozilla" OR "kurt" in "message" or "auth" fields :

"query": {
    "query_string": {
        "fields": ["message", "auth"],
        "default_operator": "OR", // or AND
        "query": "Mozilla kurt"
    }
}

Upvotes: 1

Related Questions