select a single field with applying filters in elasticsearch
I would like to select all the filename field values by ACCOUNT and APPLICATION_NAME Assuming as in SQL I need to do this :
select filename.keyword from XXX where ACCOUNT='monitoring' and APPLICATION_NAME='webapp'
this is a screenshot of a log entry sample in the kibana interface
selecting the unique values of a specific field is exactly like running an aggregation query at one of the SQL databases for example
selecting by field.keyword is something like passing an enum value that should exactly match one of the existing values against this field.
setting size to 0 will retrieve the aggregation result only without associating with it the list of sources.
in an agg query as I said above it is selecting one of the aggregation functions against some fields that could be one or more
incase they are multiple this should become a composite aggregation.
Composite aggregartion require specifing composite.sources in the query request body.
this query worked for me in case I wanted to selelct filename and POD_ID uniques pairs.
{
"size": "0",
"aggs": {
"custom_agg_name_whatever_you_want": {
"composite": {
"sources": [
{
"FILENAME": {
"terms": {
"field": "filename.keyword"
}
}
},
{
"POD_ID":{
"terms": {
"field": "POD_ID.keyword"
}
}
}
]
}
}
},
"query": {
"bool": {
"filter": [
{
"bool": {
"filter": [
{
"bool": {
"should": [
{
"match_phrase": {
"ACCOUNT.keyword": "searchValue"
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {
"APPLICATION_NAME.keyword": "searchValue"
}
}
],
"minimum_should_match": 1
}
}
]
}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "2022-03-21T09:09:09.277Z",
"lte": "2022-03-25T09:09:09.277Z"
}
}
}
]
}
}
}
- In a standard MS Access SQL query output that does not have any aliases, how do I replace the full names by their "first-letters" aliases?
- Convert SQL containing GROUP BY and SUM() to active record in CodeIgniter
- output sql data to html with hyperlink
- Update all column names to be lowercase
- SQL Server pivoting on data without an aggregate
- replace or remove characters and then cast to decimal
- Export specific rows from a PostgreSQL table as INSERT SQL script
- Query to get only numbers from a string
- SQL grouping result to half hour
- table is specified twice both as a target for INSERT and as separate source of data
- SQL to JSON Need Bracket for Array that can have multiple rows
- Find all occurrences of Substring and replace it with a special characters
- Oracle Merge statement 'ON' vs 'UPDATE' conditions performance on target table
- How to do aggregate raw sql with julian date in sqlite (with django)
- SQL Merge SOURCE order and OUTPUT order
- Notepad++/Eclipse sql code auto-indent option?
- Output of update statement does not show correct row number
- Map table to exactly one of three
- PostgreSQL - ERROR: column does not exist SQL state: 42703
- How to force evaluation of subquery before joining / pushing down to foreign server
- SQL SELECT TOP 1 FOR EACH GROUP
- Convert a date to timestamp in a join with interpolation
- How To CAST substring as a DATE
- batch update a column using sql
- Firebird SQL add empty rows in resultset
- How do I cast a timestamp column as a MM/DD/YYYY in BigQuery
- Parsing JSON with Oracle SQL without knowing incoming field names
- Selecting from random column in PL/SQL
- Simple Query to Grab Max Value for each ID
- How to programmatically check if row is deletable?