what es version is that? On Fri, May 8, 2015 at 9:07 AM, Dominic Nicholas < dominic.s.nicho...@gmail.com> wrote:
> Hi, > > I need some expert guidance on trying to get a bool match working. I'd > like the query to only return a successful search result if *both* 'message' > matches 'Failed password for', *and* 'path' matches '/var/log/secure'. > > This is my query : > > curl -s -XGET > 'http://localhost:9200/logstash-2015.05.07/syslog/_search?pretty=true' -d '{ > "filter" : { "range" : { "@timestamp" : { "gte" : "now-1h" } } }, > "query" : { > "bool" : { > "must" : [ > { "match_phrase" : { "message" : "Failed password for" } }, > { "match_phrase" : { "path" : "/var/log/secure" } } > ] > } > } > } ' > > Here is the start of the output from the search : > > { > "took" : 3, > "timed_out" : false, > "_shards" : { > "total" : 5, > "successful" : 5, > "failed" : 0 > }, > "hits" : { > "total" : 46, > "max_score" : 13.308596, > "hits" : [ { > "_index" : "logstash-2015.05.07", > "_type" : "syslog", > "_id" : "AU0wzLEqqCKq_IPSp_8k", > "_score" : 13.308596, > "_source":{"message":"May 7 16:53:50 s_local@logstash-02 sshd[17970]: > Failed password for fred from 172.28.111.200 port 43487 > ssh2","@version":"1","@timestamp":"2015-05-07T16:53:50.554-07:00","type":"syslog","host":"logstash-02","path":"/var/log/secure"} > }, ... > > The problem is if I change '/var/log/secure' to just 'var' say, and run > the query, I still get a result, just with a lower score. I understood the > bool...must construct meant both match terms here would need to be > successful. What I'm after is *no* result if 'path' doesn't exactly match > '/var/log/secure'... > > { > "took" : 3, > "timed_out" : false, > "_shards" : { > "total" : 5, > "successful" : 5, > "failed" : 0 > }, > "hits" : { > "total" : 46, > "max_score" : 10.354593, > "hits" : [ { > "_index" : "logstash-2015.05.07", > "_type" : "syslog", > "_id" : "AU0wzLEqqCKq_IPSp_8k", > "_score" : 10.354593, > "_source":{"message":"May 7 16:53:50 s_local@logstash-02 sshd[17970]: > Failed password for fred from 172.28.111.200 port 43487 > ssh2","@version":"1","@timestamp":"2015-05-07T16:53:50.554-07:00","type":"syslog","host":"logstash-02","path":"/var/log/secure"} > },... > > I checked the mappings for these fields to check that they are not > analyzed : > > curl -X GET 'http://localhost:9200/logstash-2015.05.07/_mapping?pretty=true' > > I think these fields are non analyzed and so I believe the search will not > be analyzed too (based on some training documentation I read recently from > elasticsearch). Here is a snippet of the output _mapping for this index > below. > > .... > "message" : { > "type" : "string", > "norms" : { > "enabled" : false > }, > "fields" : { > "raw" : { > "type" : "string", > "index" : "not_analyzed", > "ignore_above" : 256 > } > } > }, > "path" : { > "type" : "string", > "norms" : { > "enabled" : false > }, > "fields" : { > "raw" : { > "type" : "string", > "index" : "not_analyzed", > "ignore_above" : 256 > } > } > }, > .... > > Where am I going wrong (in a bunch of places I'm sure), what am I > misunderstanding here (probably a lot!) ? > > Any help would be much appreciated! > > Thanks > > -- > Please update your bookmarks! We moved to https://discuss.elastic.co/ > --- > You received this message because you are subscribed to the Google Groups > "elasticsearch" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to elasticsearch+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/elasticsearch/0470f9df-8d9a-48ef-9dbd-a90c8f2db194%40googlegroups.com > <https://groups.google.com/d/msgid/elasticsearch/0470f9df-8d9a-48ef-9dbd-a90c8f2db194%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Please update your bookmarks! We moved to https://discuss.elastic.co/ --- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAHO4itwspZ96axDfyoLavndj2wzS_%2BV-UJha%2B893F5nzp%3DZYPA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
