Elasticsearch5, storing servers logs, find all servers having two given log message

Question

I have the following mapping (I'm using elasticsearch5)

curl -XPUT 'http://localhost:9200/server_logs8?pretty' -d '
{
  "mappings": {
    "kafka-connect": {
      "properties": {
        "message": {
          "type": "string"
        },
        "server_name": {
          "type": "string"
        },
        "timestamp": {
          "type": "date"
        }
      }
    }
  }
}
'

I'm looking for a specific faulty behaviour on my servers, and I need to know which servers are affected. To find them I need to do the following

Find all the server_id that have both "message_a" and "message_b"

for example if I have the documents (one by line)

{"server_id": 1 , "message":  "message_a"}
{"server_id": 1 , "message":  "message_c"}
{"server_id": 1 , "message":  "message_b"}

{"server_id": 2 , "message":  "message_d"}
{"server_id": 2 , "message":  "message_a"}

{"server_id": 3 , "message":  "message_a"}
{"server_id": 3 , "message":  "message_b"}

I want it to return me [1, 3]

Is it possible to do this with ElasticSearch in one query ?

Currently I'm doing a first request "message_a" and then a second request "message_b", and I do the intersection of the two set of "server_id" i got, but I would like to do that in one request (especially if I can create a visuazation in Kibana from there)

message:a AND message:b returns the one message with "a b" inside, which is not what i want — allan.simon, Apr 03 '17 at 08:26
Yeah, forget about my last comment, I was not understanding your problem. — Pigueiras, Apr 03 '17 at 09:25
Can you use keyword type for your message ? or the must be strings ? — Mohammad Mazraeh, May 15 '17 at 09:41
hmm they must be string because i'm checking substring , (except if keyword alow also substring searching ) ? — allan.simon, May 16 '17 at 12:51

Elasticsearch5, storing servers logs, find all servers having two given log message

0 Answers0