We are using ElasticSearch with Kibana to query log.
The data ingested in ElasticSearch is of the following format:
{
"took" : 84,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 5719,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "evtdata-2020-11",
"_type" : "_doc",
"_id" : "49612101596783840103434103604261455601292612965391925250.0",
"_score" : 1.0,
"_source" : {
"id" : "unknown:B8-27-EB-47-B4-2A",
"timestamp" : 1604453736242,
"data" : [
{
"e" : "A",
"v" : 15.0
},
{
"e" : "B",
"v" : 30.22
},
{
"s" : "A",
"v" : 1.4
},
{
"s" : "B",
"v" : 310
}, {
"s" : "C",
"v" : 2
}
],
"drift" : -3.0
}
}
}
}
We only want to GET the data index where the value e = A during a specific time range.
"data" : [
{
"e" : "A",
"v" : 15.0
}
]
Currently the query I have built is :
GET /evtdata-2020-11/_search
{
"_source": [
"data.e",
"data.v"
],
"query": {
"bool": {
"must": [
"inner",
{
"match": {
"data.e": "A"
}
},
{
"range": {
"timestamp": {
"gte": 1604453773434,
"lt": 1604453778451
}
}
}
]
}
}
}
However with the above query I get all e and v Can someone please tell me how to change the query to just get the e and v of type A in resposne?
You cannot query each object independently of the other objects in the array. If you need to be able to do this then you should use the nested datatype instead of the object data type.
Then you can use inner_hits where documents are returned based on matches in nested inner objects
Index Mapping:
{
"mappings": {
"properties": {
"data": {
"type": "nested"
}
}
}
}
Search Query:
{
"query": {
"nested": {
"path": "data",
"query": {
"bool": {
"must": [
{
"match": {
"data.e": "A"
}
}
]
}
},
"inner_hits":{}
}
}
}
Search Result:
"inner_hits": {
"data": {
"hits": {
"total": {
"value": 1,
"relation": "eq"
},
"max_score": 0.6931471,
"hits": [
{
"_index": "64705886",
"_type": "_doc",
"_id": "1",
"_nested": {
"field": "data",
"offset": 0
},
"_score": 0.6931471,
"_source": {
"e": "A",
"v": 15.0
}
}
]
}
}
}