Re: Terms Filter Assistance

2014-08-22 Thread Adrien Grand 
You are trying to perform a join. The closest things to a join that
elasticsearch has are nested documents (index-time joins) and parent/child
relationships (search-time joins). However, I don't think any of these
solutions would work out of the box for you since your are trying to join
on two fields at the same time.


On Wed, Aug 20, 2014 at 10:40 PM, Brian  wrote:

> We have 2 indices (logs & intel) and are trying to search 2 fields in the
> logs index (src & dst) for any match from the intel ip field. The challenge
> is the terms filter is expecting 1 document with all the values to be
> searched for within that document.  The intel index has over 150k documents.
>
> Is there a way to extract the ip field from the intel index (aggregations
> maybe) and use that to search the src & dst fields in the logs index?
>
> Here is the code I am trying to use:
>
> curl -XGET localhost:9200/logs/_search -d '{
>   "query" : {
> "filtered" : {
>   "filter" : {
> "terms" : {
>   "src" : {
> "index" : "intel",
> "type" : "ipaddress",
> "id" : "*",
> "path" : "ip"
>   },
>
>   "dst" : {
> "index" : "intel",
> "type" : "ipaddress",
> "id" : "*",
> "path" : "ip"
>   },
>
> }
>   }
> }
>   }
> }
>
> --
> You received this message because you are subscribed to the Google Groups
> "elasticsearch" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to elasticsearch+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/elasticsearch/b2d9d8c9-4747-4cb6-badc-4752345544dc%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Adrien Grand

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/CAL6Z4j7t8p7Z%3Dob4FeRH1cw0M0eUUa%2BB8-1-bgaui9AiAaNOsg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Terms Filter Assistance

2014-08-20 Thread Brian 
We have 2 indices (logs & intel) and are trying to search 2 fields in the 
logs index (src & dst) for any match from the intel ip field. The challenge 
is the terms filter is expecting 1 document with all the values to be 
searched for within that document.  The intel index has over 150k documents.

Is there a way to extract the ip field from the intel index (aggregations 
maybe) and use that to search the src & dst fields in the logs index?

Here is the code I am trying to use:

curl -XGET localhost:9200/logs/_search -d '{
  "query" : {
"filtered" : {
  "filter" : {
"terms" : {
  "src" : {
"index" : "intel",
"type" : "ipaddress",
"id" : "*",
"path" : "ip"
  },

  "dst" : {
"index" : "intel",
"type" : "ipaddress",
"id" : "*",
"path" : "ip"
  },

}
  }
}
  }
}

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/b2d9d8c9-4747-4cb6-badc-4752345544dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.