Elasticsearch - parsing query that uses curl command

Question

I have a query that runs from code (with an external library), and now I am trying to run it directly from the terminal, using the curl command:

This is the original query:

{
    "index": [
        "logstash-*2021.08.21*",
        "logstash-*2021.08.22*"
    ],
    "ignore_unavailable": true,
    "allow_no_indices": true,
    "type": "doc",
    "body": {
        "query": {
            "bool": {
                "must": [
                    {
                        "range": {
                            "@timestamp": {
                                "gte": "now-24H/H"
                            }
                        }
                    }
                ]
            }
        }
    }
}

But running the folwing query from Linux terminal:

curl -u "*******:****************" -XGET "https://XXXXXXXXXXXXXXXXXXXXXXXXXX:9200/logstash- 
*/_search" 
-H 'Content-Type: application/json' 
-d '
 {
    "index": [
        "logstash-*2021.08.21*",
        "logstash-*2021.08.22*"
    ],
    "ignore_unavailable": true,
    "allow_no_indices": true,
    "type": "doc",
    "body": {
        "query": {
            "bool": {
                "must": [
                    {
                        "range": {
                            "@timestamp": {
                                "gte": "now-24H/H"
                            }
                        }
                    }
                ]
            }
        }
    }
}
'

returns error:

{"error":{"root_cause":[{"type":"parsing_exception","reason":"Unknown key for a START_ARRAY in [index].","line":1,"col":10}],"type":"parsing_exception","reason":"Unknown key for a START_ARRAY in [index].","line":1,"col":10},"status":4

It is worth noting that running the folwing query without additional parameters, returns correct results:

curl -u "elastic:****************" -XGET "https://XXXXXXXXXXXXXXXXXXXXXXXXXX:9200/logstash-*/_search"

What do I need to change in the terminal query?

Answer 1

Using apt-get-install-skill tips, I changed the query to:

curl -u "*******:****************" -XGET --globoff "https://XXXXXXXXXXXXXXXXXXXXXXXXXX:9200/logstash-*2021.08.21*,logstash-*2021.08.22*/_search?ignore_unavailable=true&allow_no_indices=true" -H 'Content-Type: application/json' -d'{"query":{"range":{"@timestamp":{"gte":"now-24H/H"}}}}'

It works. Thanks

Answer 2

The error occurrs because the search API does not specify an indices request body option. Maybe your external library wraps the requests to Elasticsearch, hence you can provide this option.

With

-XGET "https://XXX:9200/logstash-*/_search" 

you already specified that you want to search in all indices matching logstash-*.

Take a look at the documentation here for all possible request and url parameters: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html

If you need to search multiple indices you need to follow the instructions in this guide: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-multiple-indices.html

But since you already have provided an index-pattern in the URL, I don't know if this is still necessary.

Also:

There is no body and type fields allowed in the request body. So after removing the indices array these will be the next errors that Elasticsearch will complain about.

I hope I could help you.