My aim is to send 3 separate queries in one ES request using multiple search
I am using NEST client to send query to Elastic search using function below
IElasticClient _elasticClient.LowLevel.Msearch<string>(query).Body;
Passing as a raw query using curl command works absolutely fine, but NEST MSearch only returns "event_results" and "venue_results" but not "location_results"
curl -XPOST localhost:9200/_msearch -d '
{"index" : "search_results"}
{ "size": 0, "query": { "bool": { "must": [ { "term": { "partnersites": "16" } }, { "match_phrase_prefix": { "name": "manchester" } } ] } }, "aggs": { "event_results": { "terms": { "field": "name.keyword", "size": 1 }, "aggs": { "top_tag_hits": { "top_hits": { "size": 1, "_source": [ "name", "groupedName", "groupedDisplayName", "groupedUrl", "eventCode", "venueName", "venueTown", "venueId", "venueUrl", "media", "categories.name" ] } } } } } }
{"index" : "search_results2"}
{ "size": 0, "query": { "bool": { "must": [ { "term": { "partnersites": "16" } }, { "match_phrase_prefix": { "venueName": "Manchester" } } ] } }, "aggs": { "venue_results": { "terms": { "field": "name.keyword", "size": 1 }, "aggs": { "top_tag_hits": { "top_hits": { "size": 1, "_source": [ "name", "groupedName", "groupedDisplayName", "groupedUrl", "eventCode", "venueName", "venueTown", "venueId", "venueUrl", "media", "categories.name" ] } } } } } }
{"index" : "search_results3"}
{ "size": 0, "query": { "bool": { "must": [ { "term": { "partnersites": "16" } }, { "match_phrase_prefix": { "venueTown": "manchester" } } ] } }, "aggs": { "location_results": { "terms": { "field": "name.keyword", "size": 1 }, "aggs": { "top_tag_hits": { "top_hits": { "size": 1, "_source": [ "name", "groupedName", "groupedDisplayName", "groupedUrl", "eventCode", "venueName", "venueTown", "venueId", "venueUrl", "media", "categories.name" ] } } } } } }
'
Is any of you know where the issue could be?
Whenever possible, you don't want to use the "LowLevel" stuff. Instead, use what is available to you on the IElasticClient. Here is an example of how to use IElasticClient.MultiSearch to run 3 searches using the fluent syntax (which is the preferred way to do this).
var mSearchResponse = ElasticClient.MultiSearch(msearch => msearch
.Search<RedemptionES>(
s1 => s1.Query(
q=>q.Term(
t=> t.OnField(f=> f.Id).Value("123")
)
)
)
.Search<RedemptionES>(
s2 => s2.Query(
q => q.Term(
t => t.OnField(f => f.Id).Value("456")
)
)
)
.Search<RedemptionES>(
s3 => s3.Query(
q => q.Term(
t => t.OnField(f => f.Id).Value("789")
)
)
)
);
Issue lies on indention. Try this:
public static string qu = #"{""index"" : ""search_results""}
{ ""size"": 0, ""query"": { ""bool"": { ""must"": [ { ""term"": { ""partnersites"": ""16"" } }, { ""match_phrase_prefix"": { ""name"": ""manchester"" } } ] } }, ""aggs"": { ""event_results"": { ""terms"": { ""field"": ""name.keyword"", ""size"": 1 }, ""aggs"": { ""top_tag_hits"": { ""top_hits"": { ""size"": 1, ""_source"": [ ""name"", ""groupedName"", ""groupedDisplayName"", ""groupedUrl"", ""eventCode"", ""venueName"", ""venueTown"", ""venueId"", ""venueUrl"", ""media"", ""categories.name"" ] } } } } } }
{""index"" : ""search_results2""}
{ ""size"": 0, ""query"": { ""bool"": { ""must"": [ { ""term"": { ""partnersites"": ""16"" } }, { ""match_phrase_prefix"": { ""venueName"": ""Manchester"" } } ] } }, ""aggs"": { ""venue_results"": { ""terms"": { ""field"": ""name.keyword"", ""size"": 1 }, ""aggs"": { ""top_tag_hits"": { ""top_hits"": { ""size"": 1, ""_source"": [ ""name"", ""groupedName"", ""groupedDisplayName"", ""groupedUrl"", ""eventCode"", ""venueName"", ""venueTown"", ""venueId"", ""venueUrl"", ""media"", ""categories.name"" ] } } } } } }
{""index"" : ""search_results3""}
{ ""size"": 0, ""query"": { ""bool"": { ""must"": [ { ""term"": { ""partnersites"": ""16"" } }, { ""match_phrase_prefix"": { ""venueTown"": ""manchester"" } } ] } }, ""aggs"": { ""location_results"": { ""terms"": { ""field"": ""name.keyword"", ""size"": 1 }, ""aggs"": { ""top_tag_hits"": { ""top_hits"": { ""size"": 1, ""_source"": [ ""name"", ""groupedName"", ""groupedDisplayName"", ""groupedUrl"", ""eventCode"", ""venueName"", ""venueTown"", ""venueId"", ""venueUrl"", ""media"", ""categories.name"" ] } } } } } }
";
var result = _elasticClient.LowLevel.Msearch<string>(qu).Body; // Query ES for results.
Related
I has this mapping for the índex on elastic, i was try to get the max value of a day for a specific sensor, but my query get the value of all the sensors.
"sensor": {
"type": "nested",
"properties": {
"type": {
"type": "integer"
},
"name": {
"type": "keyword"
},
"number": {
"type": "integer"
},
"values": {
"type": "nested",
"properties": {
"type": {
"type": "text"
},
"value": {
"type": "float"
},
"unit": {
"type": "text"
},
"Lmin": {
"type": "float"
},
"Lmax": {
"type": "float"
}
}
}
}
An this is the map of objects,
I need only the max and the min value of the las day from the sensor number 13, i try it but ever i get the max of all sensors.
{"query": {
"nested": {
"path": "sensor",
"query": {
"nested": {
"path": "sensor.values",
"query": {
"bool": {
"must": [
{
"match": {
"sensor.values.type": "TEMPERATURE"
}
}
]
}
}
}
}
}
},
"aggs": {
"agg_by_type": {
"nested": {
"path": "sensor.values"
},
"aggs": {
"max_value": {
"max": {
"field": "sensor.values.value"
}
}
}
}
}
}
I'm new in elasticsearch, can someone help whit this please?, thanks.
You need to also add the nested filter in the aggregation part to only aggregate the relevant nested documents, i.e. the ones related to TEMPERATURE, like this:
{
"query": {
"nested": {
"path": "sensor",
"query": {
"nested": {
"path": "sensor.values",
"query": {
"bool": {
"must": [
{
"match": {
"sensor.values.type": "TEMPERATURE"
}
}
]
}
}
}
}
}
},
"aggs": {
"agg_by_type": {
"nested": {
"path": "sensor.values"
},
"aggs": {
"temperature_only": {
"filter": {
"match": {
"sensor.values.type": "TEMPERATURE"
}
},
"aggs": {
"max_value": {
"max": {
"field": "sensor.values.value"
}
}
}
}
}
}
}
}
After a few days of work in another projects, i back to try make this query and finally i can do it, now i can get the data per day, hours, and by type of sensor, thanks for your help.
This is my code if somebody are trying the same.
{
"query": {
"bool": {
"filter": [
{
"bool": {
"must": [
{
"match": {
"mac": "34:ab:95:8f:84:c0"
}
}
],
"filter": [
{
"range": {
"timestamp": {
"gte": "2021-08-10",
"lt": "2021-08-25"
}
}
}
]
}
},
{
"nested": {
"path": "sensor",
"query": {
"bool": {
"must": [
{
"match": {
"sensor.type": 1
}
}
],
"should": [
{
"nested": {
"path": "sensor.values",
"query": {
"bool": {
"must": [
{
"match": {
"sensor.values.type": "HUMIDITY"
}
},
{
"match": {
"sensor.values.type": "TEMPERATURE"
}
}
]
}
}
}
}
]
}
}
}
}
]
}
},
"aggs": {
"values_per_day": {
"date_histogram": {
"field": "timestamp",
"fixed_interval": "1d",
"format" : "yyyy-MM-dd HH:mm:ss"
},
"aggs": {
"agg_type": {
"nested": {
"path": "sensor"
},
"aggs": {
"type_only": {
"filter": {
"match": {
"sensor.type": 1
}
},
"aggs": {
"agg_by_type": {
"nested": {
"path": "sensor.values"
},
"aggs": {
"temperature_only": {
"filter": {
"match": {
"sensor.values.type": "TEMPERATURE"
}
},
"aggs": {
"max_value": {
"max": {
"field": "sensor.values.value"
}
},
"min_value": {
"min": {
"field": "sensor.values.value"
}
}
}
},
"humedity_only": {
"filter": {
"match": {
"sensor.values.type": "HUMIDITY"
}
},
"aggs": {
"max_value": {
"max": {
"field": "sensor.values.value"
}
},
"min_value": {
"min": {
"field": "sensor.values.value"
}
}
}
}
}
}
}
}
}
}
}
}
},
"from": 0,
"sort": [
{
"timestamp": {
"order": "desc"
}
}
]
}
i have a probleme with elastic search when i request it with the following json, i have this error: [bool] malformed query, expected [END_OBJECT] but found [FIELD_NAME]
i've tried to look on many site but none of them give me a response
{
"query":{
"bool":{
"must":[
{
"match":{
"group_issuer_name":"bnp"
}
},
{
"match":{
"asset_country":"France"
}
}
]
},
"aggs":{
"by_ptf_name":{
"terms":{
"field":"ptf_name.keyword"
},
"aggs":{
"by_ptf_id":{
"terms":{
"field":"ptf_id.keyword"
},
"aggs":{
"sum_of_asset_exposure":{
"sum":{
"field":"asset_exposure"
}
},
"min_of_ptf_total_asset":{
"min":{
"field":"ptf_total_asset"
}
}
}
}
}
}
}
}
}
You are missing }. The query part must be closed and then the aggregation part should start.
The structure should be
{
"query": {},
"aggregation": {}
}
Modify your query as -
{
"query": {
"bool": {
"must": [
{
"match": {
"group_issuer_name": "bnp"
}
},
{
"match": {
"asset_country": "France"
}
}
]
}
}, // note this
"aggs": {
"by_ptf_name": {
"terms": {
"field": "ptf_name.keyword"
},
"aggs": {
"by_ptf_id": {
"terms": {
"field": "ptf_id.keyword"
},
"aggs": {
"sum_of_asset_exposure": {
"sum": {
"field": "asset_exposure"
}
},
"min_of_ptf_total_asset": {
"min": {
"field": "ptf_total_asset"
}
}
}
}
}
}
}
}
I am trying to add config data according to these yang modules:
https://github.com/mbj4668/pyang/blob/master/modules/ietf/ietf-routing.yang
https://github.com/mbj4668/pyang/blob/master/modules/ietf/ietf-ipv4-unicast-routing.yang
I am getting error sysrepocfg error: libyang: Unknown element "next-hop-list" when trying to use "next-hop-list" with below data.
{
"ietf-routing:routing": {
"control-plane-protocols": {
"control-plane-protocol": [
{
"type": "static",
"name": "static-routing-protocol",
"static-routes": {
"ietf-ipv4-unicast-routing:ipv4": {
"route": [
{
"destination-prefix": "0.0.0.0/0",
"next-hop-list": {
"next-hop": [
{
"index": "1",
"next-hop-address": "192.0.2.2"
}
]
}
}
]
}
}
}
]
}
}
}
Unable to figure out the error, any help?
I am able to use "simple-next-hop" with below data, that works fine.
{
"ietf-routing:routing": {
"control-plane-protocols": {
"control-plane-protocol": [
{
"type": "static",
"name": "static-routing-protocol",
"static-routes": {
"ietf-ipv4-unicast-routing:ipv4": {
"route": [
{
"destination-prefix": "0.0.0.0/0",
"next-hop": {
"next-hop-address": "192.0.2.2"
}
}
]
}
}
}
]
}
}
}
Fixed it! 'next-hop-list' had to be inside 'next-hop'.
{
"ietf-routing:routing": {
"control-plane-protocols": {
"control-plane-protocol": [
{
"type": "static",
"name": "static-routing-protocol",
"static-routes": {
"ietf-ipv4-unicast-routing:ipv4": {
"route": [
{
"destination-prefix": "0.0.0.0/0",
"next-hop": {
"next-hop-list": {
"next-hop": [
{
"index": "1",
"next-hop-address": "192.0.2.2"
},
{
"index": "2",
"next-hop-address": "192.0.2.3"
}
]
}
}
}
]
}
}
}
]
}
}
}
Purpose of the query below is to return n results for each criteria i.e. it must match partnersites 16 and match 'venueTown' or partnersites 16 and match 'venueName'. Currently it returns the results where each field must contain the same string. In my case fields: name, venueName and venueTown must contain manchester, but I want separate results for each pair {(partnersites, venueName), (partnersites, venueTown)}.
{
"size": 0,
"_source": ["groupedName", "groupedDisplayName", "groupedUrl", "eventCode", "venueName", "venueTown", "venueId", "media"],
"query": {
"bool": {
"must": [{
"match": {
"partnersites": {
"query": "16"
}
}
}, {
"match": {
"name": "manchester"
}
}, {
"match": {
"venueName": "manchester"
}
}, {
"match": {
"venueTown": "manchester"
}
}, {
"match": {
"venueTown": "manchester"
}
}]
}
},
"aggs": {
"distinct_names": {
"terms": {
"field": "name.keyword",
"size": 10
},
"aggs": {
"top_tag_hits": {
"top_hits": {
"size": 1,
"_source": ["groupedName", "groupedDisplayName", "groupedUrl", "eventCode", "venueName", "venueTown", "venueId", "media"]
}
}
}
},
"distinct_venues": {
"terms": {
"field": "venueName.keyword",
"size": 10
},
"aggs": {
"top_tag_hits": {
"top_hits": {
"size": 1,
"_source": ["groupedName", "groupedDisplayName", "groupedUrl", "eventCode", "venueName", "venueTown", "venueId", "media"]
}
}
}
},
"distinct_towns": {
"terms": {
"field": "venueTown.keyword",
"size": 10
},
"aggs": {
"top_tag_hits": {
"top_hits": {
"size": 1,
"_source": ["groupedName", "groupedDisplayName", "groupedUrl", "eventCode", "venueName", "venueTown", "venueId", "media"]
}
}
}
}
}
}
Try this:
{
"size": 0,
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"bool": {
"must": [
{
"term": {
"partnersites": "16"
}
},
{
"match_phrase_prefix": {
"name": "mancheste"
}
}
]
}
},
{
"bool": {
"must": [
{
"term": {
"partnersites": "16"
}
},
{
"match_phrase_prefix": {
"venueName": "mancheste"
}
}
]
}
},
{
"bool": {
"must": [
{
"term": {
"partnersites": "16"
}
},
{
"match_phrase_prefix": {
"venueTown": "mancheste"
}
}
]
}
}
]
}
}
]
}
},
"aggs": {
"distinct_names": {
"terms": {
"field": "groupedName.keyword",
"size": 30
},
"aggs": {
"top_tag_hits": {
"top_hits": {
"size": 1,
"_source": [
"groupedName",
"groupedDisplayName",
"groupedUrl",
"eventCode",
"venueName",
"venueTown",
"venueId",
"media"
]
}
}
}
}
}
}
I am trying to find all documents in which the content field contains the word "syria" and have the epoch time be greater than 1465312440000. The following query runs, but does only return the documents that contain word "syria". How do I fix this?(Elasticsearch version 2.2)
{
"query": {
"filtered": {
"query": {
"match": {
"content": "syria"
},
"filter": {
"term": {
"sourceOriginator": "Twitter"
},
"bool": {
"range": {
"epochCollectionDate": {
"gte": 1465312440
}
}
}
}
}
}
}
}
Thank you Guys.
I struggled with this so if someone is looking for how to do this with aggregation as well, i used winlogbeat but it will work with other indexes just change terms and field names.
I tested this with Elastic 7.1.1
{
"size": 0,
"query": {
"bool": {
"must": [
{
"match": {
"winlog.event_id": "5156"
}
}
],
"filter": [
{
"term": {
"winlog.provider_name" : "Microsoft-Windows-Security-Auditing"
}
},
{
"range": {
"#timestamp": {
"gt": "now-10d",
"lt": "now"
}
}
}
]
}
},
"aggregations": {
"event_count": {
"value_count": {
"field": "winlog.event_id"
}
},
"group_by_host": {
"terms": {
"field": "host.name",
"size": 10,
"min_doc_count": 1,
"shard_min_doc_count": 0,
"show_term_doc_count_error": false,
"order": [
{
"_count": "desc"
},
{
"_key": "asc"
}
]
}
},
}
}
Of course it is hard to test without the data, but the filter is wrong. It should be on the same level as the second query. To my opinion the following solution is easier:
{
"query": {
"bool": {
"must": [
{
"match": {
"content": "syria"
}
}
],
"filter": [
{
"term": {
"sourceOriginator": "Twitter"
}
},
{
"range": {
"epochCollectionDate": {
"gte": 1465312440
}
}
}
]
}
}
}
Just to complement #Jettro's solution which will only work on ES 2.0 and later, the following one will work on all versions up to ES 5.
{
"query": {
"filtered": {
"query": {
"match": {
"content": "syria"
}
},
"filter": {
"bool": {
"must": [
{
"term": {
"sourceOriginator": "Twitter"
}
},
{
"range": {
"epochCollectionDate": {
"gte": 1465312440
}
}
}
]
}
}
}
}
}
Note that if you are on ES 2.0 or later, you should really use #Jettro's solution as the filtered query has been deprecated in 2.0.