R
R.C
Guest
I have the following in my log that i would like to use ElasticSearch query to find:
2014-07-02 20:52:39 INFO home.helloworld: LOGGER/LOG:ID1234 has successfully been received, {"uuid"="abc123"}
2014-07-02 20:52:39 INFO home.helloworld: LOGGER/LOG:ID1234 has successfully been transferred, {"uuid"="abc123"}
2014-07-02 20:52:39 INFO home.byebyeworld: LOGGER/LOG:ID1234 has successfully been processed, {"uuid"="abc123"}
2014-07-02 20:52:39 INFO home.byebyeworld: LOGGER/LOG:ID1234 has exited, {"uuid"="abc123"}
2014-07-02 20:53:00 INFO home.helloworld: LOGGER/LOG:ID1234 has successfully been received, {"uuid"="def123"}
2014-07-02 20:53:00 INFO home.helloworld: LOGGER/LOG:ID1234 has successfully been transferred, {"uuid"="def123"}
2014-07-02 20:53:00 INFO home.byebyeworld: LOGGER/LOG:ID1234 has successfully been processed, {"uuid"="def123"}
2014-07-02 20:53:00 INFO home.byebyeworld: LOGGER/LOG:ID1234 has exited, {"uuid"="def123"}
Since each of above line is represented as single "message" in elasticsearch, i have a hard time querying it using POST rest calls. I tried using "must match" like below to only get line 1 of my log but it is not consistent, sometimes it returns multiple hits instead of just 1 hit:
{
"query" : {
"constant_score" : {
"filter" : {
"bool" : {
"must" : [
{ "match_phrase_prefix" : {"message" : "home.helloworld:"}},
{ "match_phrase_prefix" : {"message" : "LOGGER/LOG:ID1234"}},
{ "match" : {"message" : "received, {\"uuid\"=\"abc123\"}"}}
]
}
}
}
}
}
am i doing anything wrong with above elasticsearch query? i thought "must" is equal to AND, and "match" is more of CONTAINS, "match_phrase_prefix" is STARTSWITH? can someone please show me how to properly query a log filled with above logs with different uuid number and only return the single hit? originally i thought i got the query down with above, it first returned just 1 hit but then it returned 2 then a lot more.. .which to me is not consistent. Thank you in advance!!
Continue reading...
2014-07-02 20:52:39 INFO home.helloworld: LOGGER/LOG:ID1234 has successfully been received, {"uuid"="abc123"}
2014-07-02 20:52:39 INFO home.helloworld: LOGGER/LOG:ID1234 has successfully been transferred, {"uuid"="abc123"}
2014-07-02 20:52:39 INFO home.byebyeworld: LOGGER/LOG:ID1234 has successfully been processed, {"uuid"="abc123"}
2014-07-02 20:52:39 INFO home.byebyeworld: LOGGER/LOG:ID1234 has exited, {"uuid"="abc123"}
2014-07-02 20:53:00 INFO home.helloworld: LOGGER/LOG:ID1234 has successfully been received, {"uuid"="def123"}
2014-07-02 20:53:00 INFO home.helloworld: LOGGER/LOG:ID1234 has successfully been transferred, {"uuid"="def123"}
2014-07-02 20:53:00 INFO home.byebyeworld: LOGGER/LOG:ID1234 has successfully been processed, {"uuid"="def123"}
2014-07-02 20:53:00 INFO home.byebyeworld: LOGGER/LOG:ID1234 has exited, {"uuid"="def123"}
Since each of above line is represented as single "message" in elasticsearch, i have a hard time querying it using POST rest calls. I tried using "must match" like below to only get line 1 of my log but it is not consistent, sometimes it returns multiple hits instead of just 1 hit:
{
"query" : {
"constant_score" : {
"filter" : {
"bool" : {
"must" : [
{ "match_phrase_prefix" : {"message" : "home.helloworld:"}},
{ "match_phrase_prefix" : {"message" : "LOGGER/LOG:ID1234"}},
{ "match" : {"message" : "received, {\"uuid\"=\"abc123\"}"}}
]
}
}
}
}
}
am i doing anything wrong with above elasticsearch query? i thought "must" is equal to AND, and "match" is more of CONTAINS, "match_phrase_prefix" is STARTSWITH? can someone please show me how to properly query a log filled with above logs with different uuid number and only return the single hit? originally i thought i got the query down with above, it first returned just 1 hit but then it returned 2 then a lot more.. .which to me is not consistent. Thank you in advance!!
Continue reading...