Here is the structure of a document, as returned by the Elastic Search API:
{
"process_name":"process01",
"beat":
{
"hostname":"12345","name":"blablabla"
},
}
Filtering by process_name was easy, but how can I filter by host_name, which is nested inside beat?
{
"size":10000,
"query" : {
"bool" : {
"should": [
{ "match" : { "process_name" : "process01" } },
{ "match" : { "process_name" : "process02" } }
],
"must": [
{ "match" : { beat: { "hostname":"12345" } } }
]
}
}
}
error message 1:
(failed to deserialize object type=class com.logshero.api.SearchApiRequest):
{
"size":10000,
"query" : {
"bool" : {
"should": [
{ "match" : { "process_name" : "process01" } },
{ "match" : { "process_name" : "process02" } }
],
"must": [
{ "match" : { "hostname":"12345" } }
]
}
}
}
error message 2:
{"hits":{"total":0,"max_score":null,"hits":[]}}
you can use the following query. You also have to make sure that beat in your mappings is defined as nested type.
{
"size": 10000,
"query": {
"bool": {
"should": [{
"match": {
"process_name": "process01"
}
}, {
"match": {
"process_name": "process02"
}
}],
"must": [{
"match": {
"beat.hostname": "12345"
}
}]
}
}
}
Thanks