elastic search nested filter

Question

Here is the structure of a document, as returned by the Elastic Search API:

{ "process_name":"process01", "beat": { "hostname":"12345","name":"blablabla" }, }

Filtering by process_name was easy, but how can I filter by host_name, which is nested inside beat?

Failed attempt 1

{ "size":10000, "query" : { "bool" : { "should": [ { "match" : { "process_name" : "process01" } }, { "match" : { "process_name" : "process02" } } ], "must": [ { "match" : { beat: { "hostname":"12345" } } } ] } } }

error message 1:

(failed to deserialize object type=class com.logshero.api.SearchApiRequest):

Failed attempt 2

{ "size":10000, "query" : { "bool" : { "should": [ { "match" : { "process_name" : "process01" } }, { "match" : { "process_name" : "process02" } } ], "must": [ { "match" : { "hostname":"12345" } } ] } } }

error message 2:

{"hits":{"total":0,"max_score":null,"hits":[]}}

score 1 · Accepted Answer · answered Mar 07 '17 at 05:14

you can use the following query. You also have to make sure that beat in your mappings is defined as nested type.

{
    "size": 10000,
    "query": {
        "bool": {
            "should": [{
                "match": {
                    "process_name": "process01"
                }
            }, {
                "match": {
                    "process_name": "process02"
                }
            }],
            "must": [{
                "match": {
                    "beat.hostname": "12345"
                }
            }]
        }
    }
}

Thanks

elastic search nested filter

1 Answers1