A reason may be that your result set size is too small for containing both
severity values. You could either try a larger result set size, or boost
the "info" clause so you get docs with "info" before "notice.
Jörg
On Wed, Aug 13, 2014 at 12:51 PM, Log Muncher <railroaderslam...@gmail.com>
wrote:
> Well the the Perl module certainly doesn't complain about the syntax, but
> it stil doesn't manage to output anything other than the "notice" severity ?
>
> $ perl test.pl | fgrep "severity"
> 'severity' => 'notice'
> 'severity' => 'notice',
> 'severity' => 'notice',
> 'severity' => 'notice',
> 'severity' => 'notice',
> 'severity' => 'notice',
> 'severity' => 'notice'
> 'severity' => 'notice',
> 'severity' => 'notice',
> 'severity' => 'notice',
>
>
> $ cat test.pl
> #!/usr/bin/perl
>
> use 5.014;
> use strict;
> use warnings;
> use autodie;
>
> use Data::Dumper;
> use Search::Elasticsearch;
>
> my $e = Search::Elasticsearch->new();
>
> my $results = $e->search(
> index => 'logstash-2014.08.13',
> body => {
> query => {
>
> #match => { severity => 'notice'}
>
> "bool" => {
> "should" => [
> {match => { severity => 'notice'}},
> {match => { severity => 'info'}}
> ]
> }
> }
> }
> );
>
> print Dumper($results);
>
>
>
>
>
>
>
> On Wednesday, 13 August 2014 11:40:42 UTC+1, Jörg Prante wrote:
>
>> Try this to search "notice" or "info" severity.
>>
>> my $results = $e->search(
>> index => 'logstash-2014.08.13',
>> body => {
>> query => {
>> "bool" => {
>> "should" => [
>> { match => { severity => 'notice'} },
>> { match => { severity => 'info'} }
>> ]
>> }
>> }
>> }
>> );
>>
>>
>> Jörg
>>
>>
>> On Wed, Aug 13, 2014 at 12:01 PM, Log Muncher <railroad...@gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Simple question, but there seems to be a lack of detailed examples for
>>> using the otherwise very useful Search::Elasticsearch CPAN module !
>>>
>>> I'm getting syslog data into elasticsearch via fluentd.
>>>
>>> What I'd like to do now is run a perl search that will give me results
>>> for notice, emerg and crit events. As a test (seeing as I don't get many
>>> emerg/crit events !), I've tried the below, but it only seems to pick up
>>> notice events and doesn't return any info events !
>>>
>>> Help welcome !
>>>
>>> Thanks.
>>>
>>> Tim
>>>
>>> #!/usr/bin/perl
>>>
>>> use 5.014;
>>> use strict;
>>> use warnings;
>>> use autodie;
>>>
>>> use Data::Dumper;
>>> use Search::Elasticsearch;
>>>
>>> my $e = Search::Elasticsearch->new();
>>>
>>> my $results = $e->search(
>>> index => 'logstash-2014.08.13',
>>> body => {
>>> query => {
>>> "bool" => {
>>> "must" => {match => { severity => 'notice'},match
>>> => { severity => 'info'}}
>>> }
>>> }
>>> }
>>> );
>>>
>>> print Dumper($results);
>>>
>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "elasticsearch" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to elasticsearc...@googlegroups.com.
>>>
>>> To view this discussion on the web visit https://groups.google.com/d/
>>> msgid/elasticsearch/42e60034-655f-46ca-979e-308b0e7532e3%
>>> 40googlegroups.com
>>> <https://groups.google.com/d/msgid/elasticsearch/42e60034-655f-46ca-979e-308b0e7532e3%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "elasticsearch" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to elasticsearch+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/elasticsearch/1967d9c9-e53e-4037-803c-586dce6a6568%40googlegroups.com
> <https://groups.google.com/d/msgid/elasticsearch/1967d9c9-e53e-4037-803c-586dce6a6568%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/CAKdsXoGT62WWavGGDcB4gVkcW%2BdAF4jbYd81oTHiVPUw1ZXKQA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
