Hi - version 1.5.0 of es, 4.10.4 of lucene. Dom
On Thu, May 7, 2015 at 11:24 PM, Jason Wee <peich...@gmail.com> wrote: > what es version is that? > > On Fri, May 8, 2015 at 9:07 AM, Dominic Nicholas < > dominic.s.nicho...@gmail.com> wrote: > >> Hi, >> >> I need some expert guidance on trying to get a bool match working. I'd >> like the query to only return a successful search result if *both* 'message' >> matches 'Failed password for', *and* 'path' matches '/var/log/secure'. >> >> This is my query : >> >> curl -s -XGET >> 'http://localhost:9200/logstash-2015.05.07/syslog/_search?pretty=true' -d '{ >> "filter" : { "range" : { "@timestamp" : { "gte" : "now-1h" } } }, >> "query" : { >> "bool" : { >> "must" : [ >> { "match_phrase" : { "message" : "Failed password for" } }, >> { "match_phrase" : { "path" : "/var/log/secure" } } >> ] >> } >> } >> } ' >> >> Here is the start of the output from the search : >> >> { >> "took" : 3, >> "timed_out" : false, >> "_shards" : { >> "total" : 5, >> "successful" : 5, >> "failed" : 0 >> }, >> "hits" : { >> "total" : 46, >> "max_score" : 13.308596, >> "hits" : [ { >> "_index" : "logstash-2015.05.07", >> "_type" : "syslog", >> "_id" : "AU0wzLEqqCKq_IPSp_8k", >> "_score" : 13.308596, >> "_source":{"message":"May 7 16:53:50 s_local@logstash-02 sshd[17970]: >> Failed password for fred from 172.28.111.200 port 43487 >> ssh2","@version":"1","@timestamp":"2015-05-07T16:53:50.554-07:00","type":"syslog","host":"logstash-02","path":"/var/log/secure"} >> }, ... >> >> The problem is if I change '/var/log/secure' to just 'var' say, and run >> the query, I still get a result, just with a lower score. I understood the >> bool...must construct meant both match terms here would need to be >> successful. What I'm after is *no* result if 'path' doesn't exactly >> match '/var/log/secure'... >> >> { >> "took" : 3, >> "timed_out" : false, >> "_shards" : { >> "total" : 5, >> "successful" : 5, >> "failed" : 0 >> }, >> "hits" : { >> "total" : 46, >> "max_score" : 10.354593, >> "hits" : [ { >> "_index" : "logstash-2015.05.07", >> "_type" : "syslog", >> "_id" : "AU0wzLEqqCKq_IPSp_8k", >> "_score" : 10.354593, >> "_source":{"message":"May 7 16:53:50 s_local@logstash-02 sshd[17970]: >> Failed password for fred from 172.28.111.200 port 43487 >> ssh2","@version":"1","@timestamp":"2015-05-07T16:53:50.554-07:00","type":"syslog","host":"logstash-02","path":"/var/log/secure"} >> },... >> >> I checked the mappings for these fields to check that they are not >> analyzed : >> >> curl -X GET 'http://localhost:9200/logstash-2015.05.07/_mapping?pretty=true' >> >> I think these fields are non analyzed and so I believe the search will >> not be analyzed too (based on some training documentation I read recently >> from elasticsearch). Here is a snippet of the output _mapping for this >> index below. >> >> .... >> "message" : { >> "type" : "string", >> "norms" : { >> "enabled" : false >> }, >> "fields" : { >> "raw" : { >> "type" : "string", >> "index" : "not_analyzed", >> "ignore_above" : 256 >> } >> } >> }, >> "path" : { >> "type" : "string", >> "norms" : { >> "enabled" : false >> }, >> "fields" : { >> "raw" : { >> "type" : "string", >> "index" : "not_analyzed", >> "ignore_above" : 256 >> } >> } >> }, >> .... >> >> Where am I going wrong (in a bunch of places I'm sure), what am I >> misunderstanding here (probably a lot!) ? >> >> Any help would be much appreciated! >> >> Thanks >> >> -- >> Please update your bookmarks! We moved to https://discuss.elastic.co/ >> --- >> You received this message because you are subscribed to the Google Groups >> "elasticsearch" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to elasticsearch+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/elasticsearch/0470f9df-8d9a-48ef-9dbd-a90c8f2db194%40googlegroups.com >> <https://groups.google.com/d/msgid/elasticsearch/0470f9df-8d9a-48ef-9dbd-a90c8f2db194%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- > Please update your bookmarks! We moved to https://discuss.elastic.co/ > --- > You received this message because you are subscribed to a topic in the > Google Groups "elasticsearch" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/elasticsearch/uowU5uSn6tE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > elasticsearch+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/elasticsearch/CAHO4itwspZ96axDfyoLavndj2wzS_%2BV-UJha%2B893F5nzp%3DZYPA%40mail.gmail.com > <https://groups.google.com/d/msgid/elasticsearch/CAHO4itwspZ96axDfyoLavndj2wzS_%2BV-UJha%2B893F5nzp%3DZYPA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Please update your bookmarks! We moved to https://discuss.elastic.co/ --- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CA%2BHzijYCLYR8EmCvfCF6Y2%2BBxqXGrzQTcYSOc4jHnYM2BQ-pAw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
