Would this be the correct syntax ?
{match => { severity => {query=>'info',boost=>20}}}
Even with the agressive boost, I'm still getting "notice" as the
prioritised results ?
On Wednesday, 13 August 2014 12:09:43 UTC+1, Jörg Prante wrote:
>
> A reason may be that your result set size is too small for containing both
> severity values. You could either try a larger result set size, or boost
> the "info" clause so you get docs with "info" before "notice.
>
> Jörg
>
>
> On Wed, Aug 13, 2014 at 12:51 PM, Log Muncher <railroad...@gmail.com
> <javascript:>> wrote:
>
>> Well the the Perl module certainly doesn't complain about the syntax, but
>> it stil doesn't manage to output anything other than the "notice" severity ?
>>
>> $ perl test.pl | fgrep "severity"
>> 'severity' => 'notice'
>> 'severity' => 'notice',
>> 'severity' => 'notice',
>> 'severity' => 'notice',
>> 'severity' => 'notice',
>> 'severity' => 'notice',
>> 'severity' => 'notice'
>> 'severity' => 'notice',
>> 'severity' => 'notice',
>> 'severity' => 'notice',
>>
>>
>> $ cat test.pl
>> #!/usr/bin/perl
>>
>> use 5.014;
>> use strict;
>> use warnings;
>> use autodie;
>>
>> use Data::Dumper;
>> use Search::Elasticsearch;
>>
>> my $e = Search::Elasticsearch->new();
>>
>> my $results = $e->search(
>> index => 'logstash-2014.08.13',
>> body => {
>> query => {
>>
>> #match => { severity => 'notice'}
>>
>> "bool" => {
>> "should" => [
>> {match => { severity => 'notice'}},
>> {match => { severity => 'info'}}
>> ]
>> }
>> }
>> }
>> );
>>
>> print Dumper($results);
>>
>>
>>
>>
>>
>>
>>
>> On Wednesday, 13 August 2014 11:40:42 UTC+1, Jörg Prante wrote:
>>
>>> Try this to search "notice" or "info" severity.
>>>
>>> my $results = $e->search(
>>> index => 'logstash-2014.08.13',
>>> body => {
>>> query => {
>>> "bool" => {
>>> "should" => [
>>> { match => { severity => 'notice'} },
>>> { match => { severity => 'info'} }
>>> ]
>>> }
>>> }
>>> }
>>> );
>>>
>>>
>>> Jörg
>>>
>>>
>>> On Wed, Aug 13, 2014 at 12:01 PM, Log Muncher <railroad...@gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Simple question, but there seems to be a lack of detailed examples for
>>>> using the otherwise very useful Search::Elasticsearch CPAN module !
>>>>
>>>> I'm getting syslog data into elasticsearch via fluentd.
>>>>
>>>> What I'd like to do now is run a perl search that will give me results
>>>> for notice, emerg and crit events. As a test (seeing as I don't get many
>>>> emerg/crit events !), I've tried the below, but it only seems to pick up
>>>> notice events and doesn't return any info events !
>>>>
>>>> Help welcome !
>>>>
>>>> Thanks.
>>>>
>>>> Tim
>>>>
>>>> #!/usr/bin/perl
>>>>
>>>> use 5.014;
>>>> use strict;
>>>> use warnings;
>>>> use autodie;
>>>>
>>>> use Data::Dumper;
>>>> use Search::Elasticsearch;
>>>>
>>>> my $e = Search::Elasticsearch->new();
>>>>
>>>> my $results = $e->search(
>>>> index => 'logstash-2014.08.13',
>>>> body => {
>>>> query => {
>>>> "bool" => {
>>>> "must" => {match => { severity => 'notice'},match
>>>> => { severity => 'info'}}
>>>> }
>>>> }
>>>> }
>>>> );
>>>>
>>>> print Dumper($results);
>>>>
>>>>
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "elasticsearch" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to elasticsearc...@googlegroups.com.
>>>>
>>>> To view this discussion on the web visit https://groups.google.com/d/
>>>> msgid/elasticsearch/42e60034-655f-46ca-979e-308b0e7532e3%
>>>> 40googlegroups.com
>>>> <https://groups.google.com/d/msgid/elasticsearch/42e60034-655f-46ca-979e-308b0e7532e3%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "elasticsearch" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to elasticsearc...@googlegroups.com <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/elasticsearch/1967d9c9-e53e-4037-803c-586dce6a6568%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/elasticsearch/1967d9c9-e53e-4037-803c-586dce6a6568%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/d61847eb-8fb8-46d8-b371-96f23e17fcd7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
