Elasticsearch query results return wrong results
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I'm trying to do a query for server logs. The search is returning results but there are a couple of issues.
1) I'm specifying the server name, yet I'm getting results back for other servers in the same domain.
2) Even though I'm specifying the query get results back from the past hour, they're coming back from two hours before, i.e. if I perform the search at 1pm, the results are returning from 12pm. The search returns the correct results if I specify sorting by timestamp but this seems to take longer for the results to appear so I would rather not do that unless I have to.
Any help you can give is greatly appreciated.
Here's my query (with edited log name and server name):
var searchParams = {
index: 'logs*',
"body": {
"from" : 0, "size": 50,
"sort": [
{
"timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"query": {
"bool": {
"must": [
{
"match" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"},
"match" : {"source" : "server01.fakedomain.com"},
"match" : {"EventID" : "5145"}
},
{
"range": {
"timestamp": {
"gte": "now-1h",
"lte": "now/m",
"time_zone": "-05:00"
}
}
}
],
"must_not":
}
},
}
}
elasticsearch asked Nov 16 '18 at 15:05
HockeyFan0000HockeyFan0000
135
add a comment |
I'm trying to do a query for server logs. The search is returning results but there are a couple of issues.
1) I'm specifying the server name, yet I'm getting results back for other servers in the same domain.
2) Even though I'm specifying the query get results back from the past hour, they're coming back from two hours before, i.e. if I perform the search at 1pm, the results are returning from 12pm. The search returns the correct results if I specify sorting by timestamp but this seems to take longer for the results to appear so I would rather not do that unless I have to.
Any help you can give is greatly appreciated.
Here's my query (with edited log name and server name):
var searchParams = {
index: 'logs*',
"body": {
"from" : 0, "size": 50,
"sort": [
{
"timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"query": {
"bool": {
"must": [
{
"match" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"},
"match" : {"source" : "server01.fakedomain.com"},
"match" : {"EventID" : "5145"}
},
{
"range": {
"timestamp": {
"gte": "now-1h",
"lte": "now/m",
"time_zone": "-05:00"
}
}
}
],
"must_not":
}
},
}
}
elasticsearch asked Nov 16 '18 at 15:05
HockeyFan0000HockeyFan0000
135
add a comment |
I'm trying to do a query for server logs. The search is returning results but there are a couple of issues.
1) I'm specifying the server name, yet I'm getting results back for other servers in the same domain.
2) Even though I'm specifying the query get results back from the past hour, they're coming back from two hours before, i.e. if I perform the search at 1pm, the results are returning from 12pm. The search returns the correct results if I specify sorting by timestamp but this seems to take longer for the results to appear so I would rather not do that unless I have to.
Any help you can give is greatly appreciated.
Here's my query (with edited log name and server name):
var searchParams = {
index: 'logs*',
"body": {
"from" : 0, "size": 50,
"sort": [
{
"timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"query": {
"bool": {
"must": [
{
"match" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"},
"match" : {"source" : "server01.fakedomain.com"},
"match" : {"EventID" : "5145"}
},
{
"range": {
"timestamp": {
"gte": "now-1h",
"lte": "now/m",
"time_zone": "-05:00"
}
}
}
],
"must_not":
}
},
}
}
elasticsearch asked Nov 16 '18 at 15:05
HockeyFan0000HockeyFan0000
135
I'm trying to do a query for server logs. The search is returning results but there are a couple of issues.
1) I'm specifying the server name, yet I'm getting results back for other servers in the same domain.
2) Even though I'm specifying the query get results back from the past hour, they're coming back from two hours before, i.e. if I perform the search at 1pm, the results are returning from 12pm. The search returns the correct results if I specify sorting by timestamp but this seems to take longer for the results to appear so I would rather not do that unless I have to.
Any help you can give is greatly appreciated.
Here's my query (with edited log name and server name):
var searchParams = {
index: 'logs*',
"body": {
"from" : 0, "size": 50,
"sort": [
{
"timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"query": {
"bool": {
"must": [
{
"match" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"},
"match" : {"source" : "server01.fakedomain.com"},
"match" : {"EventID" : "5145"}
},
{
"range": {
"timestamp": {
"gte": "now-1h",
"lte": "now/m",
"time_zone": "-05:00"
}
}
}
],
"must_not":
}
},
}
}
elasticsearch elasticsearch asked Nov 16 '18 at 15:05
HockeyFan0000HockeyFan0000
135
asked Nov 16 '18 at 15:05
HockeyFan0000HockeyFan0000
135
asked Nov 16 '18 at 15:05
HockeyFan0000HockeyFan0000
135
asked Nov 16 '18 at 15:05
HockeyFan0000HockeyFan0000
135
asked Nov 16 '18 at 15:05
HockeyFan0000HockeyFan0000
135
135
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
A couple of things here:
If you want to match a keyword exactly, then use a
termquery on akeywordtype field.Unless you're interested in your queries being scored, you should use a
filterclause instead of themustclause.
So your query can look something like this (assuming that your filter fields are keyword type fields).
var searchParams = {
index: 'logs*',
"body": {
"from" : 0, "size": 50,
"sort": [
{
"timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"query": {
"bool": {
"filter": [
{ "term" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"} },
{ "term" : {"source" : "server01.fakedomain.com"} },
{ "term" : {"EventID" : "5145"} },
{
"range": {
"timestamp": {
"gte": "now-1h",
"lte": "now/m",
"time_zone": "-05:00"
}
}
}
]
}
},
}
}
answered Nov 16 '18 at 16:20
TimTim
908718
Awesome! Thank you so much. There's a missing comma after the last bracket of the first search term but it worked once I added that. After I posted the question, I copied a query from our Graylog server and got it working but your solution is MUCH cleaner and MUCH faster. Thanks again.
– HockeyFan0000
Nov 16 '18 at 17:01
Glad it worked out for you. Good catch on the comma, I'll edit the answer.
– Tim
Nov 16 '18 at 17:02
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53340415%2felasticsearch-query-results-return-wrong-results%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
A couple of things here:
If you want to match a keyword exactly, then use a
termquery on akeywordtype field.Unless you're interested in your queries being scored, you should use a
filterclause instead of themustclause.
So your query can look something like this (assuming that your filter fields are keyword type fields).
var searchParams = {
index: 'logs*',
"body": {
"from" : 0, "size": 50,
"sort": [
{
"timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"query": {
"bool": {
"filter": [
{ "term" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"} },
{ "term" : {"source" : "server01.fakedomain.com"} },
{ "term" : {"EventID" : "5145"} },
{
"range": {
"timestamp": {
"gte": "now-1h",
"lte": "now/m",
"time_zone": "-05:00"
}
}
}
]
}
},
}
}
answered Nov 16 '18 at 16:20
TimTim
908718
Awesome! Thank you so much. There's a missing comma after the last bracket of the first search term but it worked once I added that. After I posted the question, I copied a query from our Graylog server and got it working but your solution is MUCH cleaner and MUCH faster. Thanks again.
– HockeyFan0000
Nov 16 '18 at 17:01
Glad it worked out for you. Good catch on the comma, I'll edit the answer.
– Tim
Nov 16 '18 at 17:02
add a comment |
A couple of things here:
If you want to match a keyword exactly, then use a
termquery on akeywordtype field.Unless you're interested in your queries being scored, you should use a
filterclause instead of themustclause.
So your query can look something like this (assuming that your filter fields are keyword type fields).
var searchParams = {
index: 'logs*',
"body": {
"from" : 0, "size": 50,
"sort": [
{
"timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"query": {
"bool": {
"filter": [
{ "term" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"} },
{ "term" : {"source" : "server01.fakedomain.com"} },
{ "term" : {"EventID" : "5145"} },
{
"range": {
"timestamp": {
"gte": "now-1h",
"lte": "now/m",
"time_zone": "-05:00"
}
}
}
]
}
},
}
}
answered Nov 16 '18 at 16:20
TimTim
908718
Awesome! Thank you so much. There's a missing comma after the last bracket of the first search term but it worked once I added that. After I posted the question, I copied a query from our Graylog server and got it working but your solution is MUCH cleaner and MUCH faster. Thanks again.
– HockeyFan0000
Nov 16 '18 at 17:01
Glad it worked out for you. Good catch on the comma, I'll edit the answer.
– Tim
Nov 16 '18 at 17:02
add a comment |
A couple of things here:
If you want to match a keyword exactly, then use a
termquery on akeywordtype field.Unless you're interested in your queries being scored, you should use a
filterclause instead of themustclause.
So your query can look something like this (assuming that your filter fields are keyword type fields).
var searchParams = {
index: 'logs*',
"body": {
"from" : 0, "size": 50,
"sort": [
{
"timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"query": {
"bool": {
"filter": [
{ "term" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"} },
{ "term" : {"source" : "server01.fakedomain.com"} },
{ "term" : {"EventID" : "5145"} },
{
"range": {
"timestamp": {
"gte": "now-1h",
"lte": "now/m",
"time_zone": "-05:00"
}
}
}
]
}
},
}
}
answered Nov 16 '18 at 16:20
TimTim
908718
A couple of things here:
If you want to match a keyword exactly, then use a
termquery on akeywordtype field.Unless you're interested in your queries being scored, you should use a
filterclause instead of themustclause.
So your query can look something like this (assuming that your filter fields are keyword type fields).
var searchParams = {
index: 'logs*',
"body": {
"from" : 0, "size": 50,
"sort": [
{
"timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"query": {
"bool": {
"filter": [
{ "term" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"} },
{ "term" : {"source" : "server01.fakedomain.com"} },
{ "term" : {"EventID" : "5145"} },
{
"range": {
"timestamp": {
"gte": "now-1h",
"lte": "now/m",
"time_zone": "-05:00"
}
}
}
]
}
},
}
}
answered Nov 16 '18 at 16:20
TimTim
908718
edited Nov 16 '18 at 17:02
answered Nov 16 '18 at 16:20
TimTim
908718
answered Nov 16 '18 at 16:20
TimTim
908718
answered Nov 16 '18 at 16:20
TimTim
908718
908718
Awesome! Thank you so much. There's a missing comma after the last bracket of the first search term but it worked once I added that. After I posted the question, I copied a query from our Graylog server and got it working but your solution is MUCH cleaner and MUCH faster. Thanks again.
– HockeyFan0000
Nov 16 '18 at 17:01
Glad it worked out for you. Good catch on the comma, I'll edit the answer.
– Tim
Nov 16 '18 at 17:02
add a comment |
Awesome! Thank you so much. There's a missing comma after the last bracket of the first search term but it worked once I added that. After I posted the question, I copied a query from our Graylog server and got it working but your solution is MUCH cleaner and MUCH faster. Thanks again.
– HockeyFan0000
Nov 16 '18 at 17:01
Glad it worked out for you. Good catch on the comma, I'll edit the answer.
– Tim
Nov 16 '18 at 17:02
Awesome! Thank you so much. There's a missing comma after the last bracket of the first search term but it worked once I added that. After I posted the question, I copied a query from our Graylog server and got it working but your solution is MUCH cleaner and MUCH faster. Thanks again.
– HockeyFan0000
Nov 16 '18 at 17:01
Awesome! Thank you so much. There's a missing comma after the last bracket of the first search term but it worked once I added that. After I posted the question, I copied a query from our Graylog server and got it working but your solution is MUCH cleaner and MUCH faster. Thanks again.
– HockeyFan0000
Nov 16 '18 at 17:01
Glad it worked out for you. Good catch on the comma, I'll edit the answer.
– Tim
Nov 16 '18 at 17:02
Glad it worked out for you. Good catch on the comma, I'll edit the answer.
– Tim
Nov 16 '18 at 17:02
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53340415%2felasticsearch-query-results-return-wrong-results%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
