Elasticsearch query results return wrong results





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







1















I'm trying to do a query for server logs. The search is returning results but there are a couple of issues.



1) I'm specifying the server name, yet I'm getting results back for other servers in the same domain.



2) Even though I'm specifying the query get results back from the past hour, they're coming back from two hours before, i.e. if I perform the search at 1pm, the results are returning from 12pm. The search returns the correct results if I specify sorting by timestamp but this seems to take longer for the results to appear so I would rather not do that unless I have to.



Any help you can give is greatly appreciated.



Here's my query (with edited log name and server name):



var searchParams = {
index: 'logs*',
"body": {
"from" : 0, "size": 50,
"sort": [
{
"timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"query": {
"bool": {
"must": [
{
"match" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"},
"match" : {"source" : "server01.fakedomain.com"},
"match" : {"EventID" : "5145"}
},
{
"range": {
"timestamp": {
"gte": "now-1h",
"lte": "now/m",
"time_zone": "-05:00"
}
}
}
],
"must_not":
}
},

}


}










share|improve this question





























    1















    I'm trying to do a query for server logs. The search is returning results but there are a couple of issues.



    1) I'm specifying the server name, yet I'm getting results back for other servers in the same domain.



    2) Even though I'm specifying the query get results back from the past hour, they're coming back from two hours before, i.e. if I perform the search at 1pm, the results are returning from 12pm. The search returns the correct results if I specify sorting by timestamp but this seems to take longer for the results to appear so I would rather not do that unless I have to.



    Any help you can give is greatly appreciated.



    Here's my query (with edited log name and server name):



    var searchParams = {
    index: 'logs*',
    "body": {
    "from" : 0, "size": 50,
    "sort": [
    {
    "timestamp": {
    "order": "desc",
    "unmapped_type": "boolean"
    }
    }
    ],
    "query": {
    "bool": {
    "must": [
    {
    "match" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"},
    "match" : {"source" : "server01.fakedomain.com"},
    "match" : {"EventID" : "5145"}
    },
    {
    "range": {
    "timestamp": {
    "gte": "now-1h",
    "lte": "now/m",
    "time_zone": "-05:00"
    }
    }
    }
    ],
    "must_not":
    }
    },

    }


    }










    share|improve this question

























      1












      1








      1








      I'm trying to do a query for server logs. The search is returning results but there are a couple of issues.



      1) I'm specifying the server name, yet I'm getting results back for other servers in the same domain.



      2) Even though I'm specifying the query get results back from the past hour, they're coming back from two hours before, i.e. if I perform the search at 1pm, the results are returning from 12pm. The search returns the correct results if I specify sorting by timestamp but this seems to take longer for the results to appear so I would rather not do that unless I have to.



      Any help you can give is greatly appreciated.



      Here's my query (with edited log name and server name):



      var searchParams = {
      index: 'logs*',
      "body": {
      "from" : 0, "size": 50,
      "sort": [
      {
      "timestamp": {
      "order": "desc",
      "unmapped_type": "boolean"
      }
      }
      ],
      "query": {
      "bool": {
      "must": [
      {
      "match" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"},
      "match" : {"source" : "server01.fakedomain.com"},
      "match" : {"EventID" : "5145"}
      },
      {
      "range": {
      "timestamp": {
      "gte": "now-1h",
      "lte": "now/m",
      "time_zone": "-05:00"
      }
      }
      }
      ],
      "must_not":
      }
      },

      }


      }










      share|improve this question














      I'm trying to do a query for server logs. The search is returning results but there are a couple of issues.



      1) I'm specifying the server name, yet I'm getting results back for other servers in the same domain.



      2) Even though I'm specifying the query get results back from the past hour, they're coming back from two hours before, i.e. if I perform the search at 1pm, the results are returning from 12pm. The search returns the correct results if I specify sorting by timestamp but this seems to take longer for the results to appear so I would rather not do that unless I have to.



      Any help you can give is greatly appreciated.



      Here's my query (with edited log name and server name):



      var searchParams = {
      index: 'logs*',
      "body": {
      "from" : 0, "size": 50,
      "sort": [
      {
      "timestamp": {
      "order": "desc",
      "unmapped_type": "boolean"
      }
      }
      ],
      "query": {
      "bool": {
      "must": [
      {
      "match" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"},
      "match" : {"source" : "server01.fakedomain.com"},
      "match" : {"EventID" : "5145"}
      },
      {
      "range": {
      "timestamp": {
      "gte": "now-1h",
      "lte": "now/m",
      "time_zone": "-05:00"
      }
      }
      }
      ],
      "must_not":
      }
      },

      }


      }







      elasticsearch






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 16 '18 at 15:05









      HockeyFan0000HockeyFan0000

      135




      135
























          1 Answer
          1






          active

          oldest

          votes


















          0














          A couple of things here:




          1. If you want to match a keyword exactly, then use a term query on a keyword type field.


          2. Unless you're interested in your queries being scored, you should use a filter clause instead of the must clause.



          So your query can look something like this (assuming that your filter fields are keyword type fields).



          var searchParams = {
          index: 'logs*',
          "body": {
          "from" : 0, "size": 50,
          "sort": [
          {
          "timestamp": {
          "order": "desc",
          "unmapped_type": "boolean"
          }
          }
          ],
          "query": {
          "bool": {
          "filter": [
          { "term" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"} },
          { "term" : {"source" : "server01.fakedomain.com"} },
          { "term" : {"EventID" : "5145"} },
          {
          "range": {
          "timestamp": {
          "gte": "now-1h",
          "lte": "now/m",
          "time_zone": "-05:00"
          }
          }
          }
          ]
          }
          },

          }
          }





          share|improve this answer


























          • Awesome! Thank you so much. There's a missing comma after the last bracket of the first search term but it worked once I added that. After I posted the question, I copied a query from our Graylog server and got it working but your solution is MUCH cleaner and MUCH faster. Thanks again.

            – HockeyFan0000
            Nov 16 '18 at 17:01











          • Glad it worked out for you. Good catch on the comma, I'll edit the answer.

            – Tim
            Nov 16 '18 at 17:02












          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53340415%2felasticsearch-query-results-return-wrong-results%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          A couple of things here:




          1. If you want to match a keyword exactly, then use a term query on a keyword type field.


          2. Unless you're interested in your queries being scored, you should use a filter clause instead of the must clause.



          So your query can look something like this (assuming that your filter fields are keyword type fields).



          var searchParams = {
          index: 'logs*',
          "body": {
          "from" : 0, "size": 50,
          "sort": [
          {
          "timestamp": {
          "order": "desc",
          "unmapped_type": "boolean"
          }
          }
          ],
          "query": {
          "bool": {
          "filter": [
          { "term" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"} },
          { "term" : {"source" : "server01.fakedomain.com"} },
          { "term" : {"EventID" : "5145"} },
          {
          "range": {
          "timestamp": {
          "gte": "now-1h",
          "lte": "now/m",
          "time_zone": "-05:00"
          }
          }
          }
          ]
          }
          },

          }
          }





          share|improve this answer


























          • Awesome! Thank you so much. There's a missing comma after the last bracket of the first search term but it worked once I added that. After I posted the question, I copied a query from our Graylog server and got it working but your solution is MUCH cleaner and MUCH faster. Thanks again.

            – HockeyFan0000
            Nov 16 '18 at 17:01











          • Glad it worked out for you. Good catch on the comma, I'll edit the answer.

            – Tim
            Nov 16 '18 at 17:02
















          0














          A couple of things here:




          1. If you want to match a keyword exactly, then use a term query on a keyword type field.


          2. Unless you're interested in your queries being scored, you should use a filter clause instead of the must clause.



          So your query can look something like this (assuming that your filter fields are keyword type fields).



          var searchParams = {
          index: 'logs*',
          "body": {
          "from" : 0, "size": 50,
          "sort": [
          {
          "timestamp": {
          "order": "desc",
          "unmapped_type": "boolean"
          }
          }
          ],
          "query": {
          "bool": {
          "filter": [
          { "term" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"} },
          { "term" : {"source" : "server01.fakedomain.com"} },
          { "term" : {"EventID" : "5145"} },
          {
          "range": {
          "timestamp": {
          "gte": "now-1h",
          "lte": "now/m",
          "time_zone": "-05:00"
          }
          }
          }
          ]
          }
          },

          }
          }





          share|improve this answer


























          • Awesome! Thank you so much. There's a missing comma after the last bracket of the first search term but it worked once I added that. After I posted the question, I copied a query from our Graylog server and got it working but your solution is MUCH cleaner and MUCH faster. Thanks again.

            – HockeyFan0000
            Nov 16 '18 at 17:01











          • Glad it worked out for you. Good catch on the comma, I'll edit the answer.

            – Tim
            Nov 16 '18 at 17:02














          0












          0








          0







          A couple of things here:




          1. If you want to match a keyword exactly, then use a term query on a keyword type field.


          2. Unless you're interested in your queries being scored, you should use a filter clause instead of the must clause.



          So your query can look something like this (assuming that your filter fields are keyword type fields).



          var searchParams = {
          index: 'logs*',
          "body": {
          "from" : 0, "size": 50,
          "sort": [
          {
          "timestamp": {
          "order": "desc",
          "unmapped_type": "boolean"
          }
          }
          ],
          "query": {
          "bool": {
          "filter": [
          { "term" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"} },
          { "term" : {"source" : "server01.fakedomain.com"} },
          { "term" : {"EventID" : "5145"} },
          {
          "range": {
          "timestamp": {
          "gte": "now-1h",
          "lte": "now/m",
          "time_zone": "-05:00"
          }
          }
          }
          ]
          }
          },

          }
          }





          share|improve this answer















          A couple of things here:




          1. If you want to match a keyword exactly, then use a term query on a keyword type field.


          2. Unless you're interested in your queries being scored, you should use a filter clause instead of the must clause.



          So your query can look something like this (assuming that your filter fields are keyword type fields).



          var searchParams = {
          index: 'logs*',
          "body": {
          "from" : 0, "size": 50,
          "sort": [
          {
          "timestamp": {
          "order": "desc",
          "unmapped_type": "boolean"
          }
          }
          ],
          "query": {
          "bool": {
          "filter": [
          { "term" : {"gl2_source_input" : "579f7b6696d78a4f6cbfa745"} },
          { "term" : {"source" : "server01.fakedomain.com"} },
          { "term" : {"EventID" : "5145"} },
          {
          "range": {
          "timestamp": {
          "gte": "now-1h",
          "lte": "now/m",
          "time_zone": "-05:00"
          }
          }
          }
          ]
          }
          },

          }
          }






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 16 '18 at 17:02

























          answered Nov 16 '18 at 16:20









          TimTim

          908718




          908718













          • Awesome! Thank you so much. There's a missing comma after the last bracket of the first search term but it worked once I added that. After I posted the question, I copied a query from our Graylog server and got it working but your solution is MUCH cleaner and MUCH faster. Thanks again.

            – HockeyFan0000
            Nov 16 '18 at 17:01











          • Glad it worked out for you. Good catch on the comma, I'll edit the answer.

            – Tim
            Nov 16 '18 at 17:02



















          • Awesome! Thank you so much. There's a missing comma after the last bracket of the first search term but it worked once I added that. After I posted the question, I copied a query from our Graylog server and got it working but your solution is MUCH cleaner and MUCH faster. Thanks again.

            – HockeyFan0000
            Nov 16 '18 at 17:01











          • Glad it worked out for you. Good catch on the comma, I'll edit the answer.

            – Tim
            Nov 16 '18 at 17:02

















          Awesome! Thank you so much. There's a missing comma after the last bracket of the first search term but it worked once I added that. After I posted the question, I copied a query from our Graylog server and got it working but your solution is MUCH cleaner and MUCH faster. Thanks again.

          – HockeyFan0000
          Nov 16 '18 at 17:01





          Awesome! Thank you so much. There's a missing comma after the last bracket of the first search term but it worked once I added that. After I posted the question, I copied a query from our Graylog server and got it working but your solution is MUCH cleaner and MUCH faster. Thanks again.

          – HockeyFan0000
          Nov 16 '18 at 17:01













          Glad it worked out for you. Good catch on the comma, I'll edit the answer.

          – Tim
          Nov 16 '18 at 17:02





          Glad it worked out for you. Good catch on the comma, I'll edit the answer.

          – Tim
          Nov 16 '18 at 17:02




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53340415%2felasticsearch-query-results-return-wrong-results%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Florida Star v. B. J. F.

          Danny Elfman

          Lugert, Oklahoma