David,
my index was created using logstash with Grok filter (see below) using our
logs as a stream in stdin.
I showed the index in my first message. When I am trying to search on
fields (no matter which field) it results in
{"took":2,"timed_out":false,"_shards":{"total":5,"successful":5,"failed":0},"hits":{"total":0,"max_score":null,"hits":[]}}
Please let me know what info is missing to provide you with.
Filter I use when creating the index:
filter{
grok{
match=>[
"message",
"(?:\?|\&)C\=%{DATA:kw}\&%{DATA}\sT\s%{DATA:town}\sS\s%{WORD:state}\s%{DATA}%{IP:ip}"
]
}
grok{
match=>[
"message",
"(?:\?|\&)SRC\=%{DATA:src}(?:\&|$)"
]
}
}
output {
elasticsearch {
host => localhost
}
stdout { codec => rubydebug }
}
On Tuesday, August 19, 2014 9:43:23 AM UTC-4, David Pilato wrote:
> Have a look at http://www.elasticsearch.org/help/
>
> We can probably help you if we understand what exactly you are doing.
>
> IN could be an english stop word BTW (which is filtered by standard
> analyzer on some elasticsearch versions).
>
> --
> *David Pilato* | *Technical Advocate* | *Elasticsearch.com*
> @dadoonet <https://twitter.com/dadoonet> | @elasticsearchfr
> <https://twitter.com/elasticsearchfr>
>
>
> Le 19 août 2014 à 15:40:20, vitaly (vitaly....@gmail.com <javascript:>) a
> écrit:
>
> David, my question is what I am doing wrong.
>
> Also when I do URI search
> http://<server>:9200/_search?q="state:IN"
> I am getting 0 results
>
> {"took":2,"timed_out":false,"_shards":{"total":5,"successful":5,"failed":0},"hits":{"total":0,"max_score":null,"hits":[]}}
>
>
> What I could do wrong?
>
> On Tuesday, August 19, 2014 9:20:43 AM UTC-4, David Pilato wrote:
>
>> I don't really understand the question but I'd say that you should use
>> Marvel / Sense.
>> It has a better support for running queries.
>>
>>
>> --
>> *David Pilato* | *Technical Advocate* | *Elasticsearch.com*
>> @dadoonet <https://twitter.com/dadoonet> | @elasticsearchfr
>> <https://twitter.com/elasticsearchfr>
>>
>>
>> Le 19 août 2014 à 15:10:25, vitaly (vitaly....@gmail.com) a écrit:
>>
>> Using elasticsearch-head I do query
>> {
>> "query": {
>> "term": {
>> "NONSENSE":"NONSENSE"
>> }
>> }
>> }
>> The result shows the entire set no matter what I type in "term"
>> {
>>
>> - took: 2
>> - timed_out: false
>> - _shards: {
>> - total: 5
>> - successful: 5
>> - failed: 0
>> }
>> - hits: {
>> - total: 10
>> - max_score: 1
>> - hits: [
>> - {
>> - _index: logstash-2014.08.18
>> - _type: logs
>> - _id: SMUgTGR9R-2SVaL1GTeX9A
>> - _score: 1
>> - _source: {
>> - message: ......
>> - @version: 1
>> - @timestamp: 2014-08-18T16:16:48.797Z
>> - host: .........
>> - kw: area a realty
>> - town: South Bend
>> - state: IN
>> - ip: 198.64.136.68
>> - src: ve-whitepages-dt
>> }
>> }
>> - {
>> - _index: logstash-2014.08.18
>> - _type: logs
>> - _id: yWR6DC9sQ2yAqxG9FJXauw
>> - _score: 1
>> - _source: {
>> - message: ......
>> - @version: 1
>> - @timestamp: 2014-08-18T16:16:48.797Z
>> - host: .......
>> - kw: Doors
>> - town: Chicago
>> - state: IL
>> - ip: 98.213.210.163
>> - src: lsxppc21611
>> }
>> }
>> - {
>> - _index: logstash-2014.08.18
>> - _type: logs
>> - _id: Z_e-DQQkSv2ON1ar1WooSQ
>> - _score: 1
>> - _source: {
>> - message: .......
>> - @version: 1
>> - @timestamp: 2014-08-18T16:16:48.797Z
>> - host: .......
>> - kw: home improvement
>> - town: Clarkston
>> - state: GA
>> - ip: 172.56.1.181
>> - src: lsxppc19735
>> }
>> }
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "elasticsearch" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to elasticsearc...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/elasticsearch/4ee5fa39-804b-4b48-9b76-21225daa9c35%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/elasticsearch/4ee5fa39-804b-4b48-9b76-21225daa9c35%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "elasticsearch" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to elasticsearc...@googlegroups.com <javascript:>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/elasticsearch/4ff89a22-7d5b-4843-a12c-eaeafc5df8ed%40googlegroups.com
>
> <https://groups.google.com/d/msgid/elasticsearch/4ff89a22-7d5b-4843-a12c-eaeafc5df8ed%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/03b35e5b-cbf3-4211-adb4-b9de5625f6c3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
