Answer the question
In order to leave comments, you need to log in
A
A
Anton Ivanov2020-06-08 01:20:10
Anton Ivanov, 2020-06-08 01:20:10
How to use bucket_selector filtering results as a filter in elasticsearch?
elasticsearch has a log index.
I make a request with aggregation and subsequent filtering using bucket_selector(we need the IDs of applications that sent "event1" but did not send "event2").
I get a list of id like this:
{
"took" : 77,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 3882,
"relation" : "eq"
},
"max_score" : null,
"hits" : [ ]
},
"aggregations" : {
"instance_id" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : 3624,
"doc_count" : 1,
"download" : {
"doc_count" : 1,
"unique_count" : {
"value" : 1
}
},
"launch" : {
"doc_count" : 0,
"unique_count" : {
"value" : 0
}
}
},
{
"key" : 3619,
"doc_count" : 1,
"download" : {
"doc_count" : 1,
"unique_count" : {
"value" : 1
}
},
"launch" : {
"doc_count" : 0,
"unique_count" : {
"value" : 0
}
}
},
...
{
"key" : 3388,
"doc_count" : 1,
"download" : {
"doc_count" : 1,
"unique_count" : {
"value" : 1
}
},
"launch" : {
"doc_count" : 0,
"unique_count" : {
"value" : 0
}
}
}
]
}
}
}and now I need to select all documents with all fields filtered by found id (3624, 3619, ... 3388)
You can, of course, collect them with a script and execute another request, but perhaps there is a way to somehow use these results in one query?
Roughly speaking, I need to execute the following query:
{
"query": {
"bool": {
"must": [
{"terms":{"instance_id": [3624, 3619, ..., 3388]}},
{"term":{"name": "download"}}
]
}
}
}How can I do that?
Similar questions
A
L
N
K
N
Nikita Reshetnyak2021-04-20 07:17:15
Is there a rule somewhere for elastalert to monitor postgres?
2Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question