0

I am trying to query elastic search for logs which have one field with some value and another fields with another value my logs looks like this in Kibana:

{
   "_index": "logstash-2016.08.01",
   "_type": "logstash",
   "_id": "6345634653456",
   "_score": null,
   "_source": {
      "@timestamp": "2016-08-01T09:03:50.372Z",
      "session_id": "value_1",
      "host": "local",
      "message": "some message here with error",
      "exception": null,
      "level": "ERROR",
    },
   "fields": {
      "@timestamp": [
         1470042230372
      ]
    }
}

I would like to receive all logs which have the value of "ERROR" in the level field (inside _source) and the value of value_1 in the session_id field (inside the _sources)

I am managing to query for one of them but not both together:

from elasticsearch import Elasticsearch
host = "localhost"
es =  Elasticsearch([{'host': host, 'port': 9200}])
query = 'session_id:"{}"'.format("value_1")
result = es.search(index=INDEX, q=query)
Improve this question

1 Answer 1

Reset to default
1

Since you need to match exact values, I would recommend using filters, not queries. Filter for your case would look somewhat like this: 

filter = {
  "filter": {
    "and": [
      {
        "term": {
          "level": "ERROR"
        }
      },
      {
        "term": {
          "session_id": "value_1"
        }
      }
    ]
  }
}

And you can pass it to filter using es.search(index=INDEX, body=filter)

EDIT: reason to use filters instead of queries: "In filter context, a query clause answers the question “Does this document match this query clause?” The answer is a simple Yes or No — no scores are calculated. Filter context is mostly used for filtering structured data, e.g."
Source: https://www.elastic.co/guide/en/elasticsearch/reference/2.0/query-filter-context.html

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Note that and filter is currently deprecated, you probably should use {"bool": {"must": [*CONDITIONS GOES HERE*]}}

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.