|
|
@@ -30,32 +30,32 @@ You can use the search API's <<search-api-query-params-q,`q` query string
|
|
|
parameter>> to run a search in the request's URI. The `q` parameter only accepts
|
|
|
queries written in Lucene's <<query-string-syntax,query string syntax>>.
|
|
|
|
|
|
-To get started, ingest or add some data to an {es} index.
|
|
|
+To get started, ingest or add some data to an {es} data stream or index.
|
|
|
|
|
|
-The following <<docs-bulk,bulk API>> request adds some example user log data to
|
|
|
-the `user_logs_000001` index.
|
|
|
+The following <<docs-bulk,bulk API>> request adds some example server access log
|
|
|
+data to the `my-index-000001` index.
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-PUT /user_logs_000001/_bulk?refresh
|
|
|
-{"index":{"_index" : "user_logs_000001", "_id" : "1"}}
|
|
|
-{ "@timestamp": "2020-12-06T11:04:05.000Z", "user": { "id": "vlb44hny" }, "message": "Login attempt failed" }
|
|
|
-{"index":{"_index" : "user_logs_000001", "_id" : "2"}}
|
|
|
-{ "@timestamp": "2020-12-07T11:06:07.000Z", "user": { "id": "8a4f500d" }, "message": "Login successful" }
|
|
|
-{"index":{"_index" : "user_logs_000001", "_id" : "3"}}
|
|
|
-{ "@timestamp": "2020-12-07T11:07:08.000Z", "user": { "id": "l7gk7f82" }, "message": "Logout successful" }
|
|
|
+PUT /my-index-000001/_bulk?refresh
|
|
|
+{ "index":{ } }
|
|
|
+{ "@timestamp": "2099-11-15T14:12:12", "http": { "request": { "method": "get" }, "response": { "bytes": 1070000, "status_code": 200 }, "version": "1.1" }, "message": "GET /search HTTP/1.1 200 1070000", "source": { "ip": "127.0.0.1" }, "user": { "id": "kimchy" } }
|
|
|
+{ "index":{ } }
|
|
|
+{ "@timestamp": "2099-11-15T14:12:12", "http": { "request": { "method": "get" }, "response": { "bytes": 1070000, "status_code": 200 }, "version": "1.1" }, "message": "GET /search HTTP/1.1 200 1070000", "source": { "ip": "10.42.42.42" }, "user": { "id": "elkbee" } }
|
|
|
+{ "index":{ } }
|
|
|
+{ "@timestamp": "2099-11-15T14:12:12", "http": { "request": { "method": "get" }, "response": { "bytes": 1070000, "status_code": 200 }, "version": "1.1" }, "message": "GET /search HTTP/1.1 200 1070000", "source": { "ip": "10.42.42.42" }, "user": { "id": "elkbee" } }
|
|
|
----
|
|
|
+// TESTSETUP
|
|
|
|
|
|
You can now use the search API to run a URI search on this index.
|
|
|
|
|
|
-The following URI search matches documents with a `user.id` value of `l7gk7f82`.
|
|
|
+The following URI search matches documents with a `user.id` value of `kimchy`.
|
|
|
Note the query is specified using the `q` query string parameter.
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-GET /user_logs_000001/_search?q=user.id:8a4f500d
|
|
|
+GET /my-index-000001/_search?q=user.id:kimchy
|
|
|
----
|
|
|
-// TEST[continued]
|
|
|
|
|
|
The API returns the following response. Note the `hits.hits` property contains
|
|
|
the document that matched the query.
|
|
|
@@ -63,7 +63,7 @@ the document that matched the query.
|
|
|
[source,console-result]
|
|
|
----
|
|
|
{
|
|
|
- "took": 2,
|
|
|
+ "took": 5,
|
|
|
"timed_out": false,
|
|
|
"_shards": {
|
|
|
"total": 1,
|
|
|
@@ -79,22 +79,36 @@ the document that matched the query.
|
|
|
"max_score": 0.9808291,
|
|
|
"hits": [
|
|
|
{
|
|
|
- "_index": "user_logs_000001",
|
|
|
- "_id": "2",
|
|
|
+ "_index": "my-index-000001",
|
|
|
+ "_id": "kxWFcnMByiguvud1Z8vC",
|
|
|
"_score": 0.9808291,
|
|
|
"_source": {
|
|
|
- "@timestamp": "2020-12-07T11:06:07.000Z",
|
|
|
- "user": {
|
|
|
- "id": "8a4f500d"
|
|
|
+ "@timestamp": "2099-11-15T14:12:12",
|
|
|
+ "http": {
|
|
|
+ "request": {
|
|
|
+ "method": "get"
|
|
|
+ },
|
|
|
+ "response": {
|
|
|
+ "bytes": 1070000,
|
|
|
+ "status_code": 200
|
|
|
+ },
|
|
|
+ "version": "1.1"
|
|
|
+ },
|
|
|
+ "message": "GET /search HTTP/1.1 200 1070000",
|
|
|
+ "source": {
|
|
|
+ "ip": "127.0.0.1"
|
|
|
},
|
|
|
- "message": "Login successful"
|
|
|
+ "user": {
|
|
|
+ "id": "kimchy"
|
|
|
+ }
|
|
|
}
|
|
|
}
|
|
|
]
|
|
|
}
|
|
|
}
|
|
|
----
|
|
|
-// TESTRESPONSE[s/"took": 2/"took": "$body.took"/]
|
|
|
+// TESTRESPONSE[s/"took": 5/"took": "$body.took"/]
|
|
|
+// TESTRESPONSE[s/"_id": "kxWFcnMByiguvud1Z8vC"/"_id": "$body.hits.hits.0._id"/]
|
|
|
|
|
|
[discrete]
|
|
|
[[run-request-body-search]]
|
|
|
@@ -105,21 +119,20 @@ body parameter>> to provide a query as a JSON object, written in
|
|
|
<<query-dsl,Query DSL>>.
|
|
|
|
|
|
The following request body search uses the <<query-dsl-match-query,`match`>>
|
|
|
-query to match documents with a `message` value of `login successful`. Note the
|
|
|
+query to match documents with a `user.id` value of `kimchy`. Note the
|
|
|
`match` query is specified as a JSON object in the `query` parameter.
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-GET /user_logs_000001/_search
|
|
|
+GET /my-index-000001/_search
|
|
|
{
|
|
|
"query": {
|
|
|
"match": {
|
|
|
- "message": "login successful"
|
|
|
+ "user.id": "kimchy"
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
----
|
|
|
-// TEST[continued]
|
|
|
|
|
|
The API returns the following response.
|
|
|
|
|
|
@@ -130,7 +143,7 @@ score>> that measures how well each document matches the query.
|
|
|
[source,console-result]
|
|
|
----
|
|
|
{
|
|
|
- "took": 1,
|
|
|
+ "took": 5,
|
|
|
"timed_out": false,
|
|
|
"_shards": {
|
|
|
"total": 1,
|
|
|
@@ -140,52 +153,42 @@ score>> that measures how well each document matches the query.
|
|
|
},
|
|
|
"hits": {
|
|
|
"total": {
|
|
|
- "value": 3,
|
|
|
+ "value": 1,
|
|
|
"relation": "eq"
|
|
|
},
|
|
|
- "max_score": 0.9983525,
|
|
|
+ "max_score": 0.9808291,
|
|
|
"hits": [
|
|
|
{
|
|
|
- "_index": "user_logs_000001",
|
|
|
- "_id": "2",
|
|
|
- "_score": 0.9983525,
|
|
|
+ "_index": "my-index-000001",
|
|
|
+ "_id": "kxWFcnMByiguvud1Z8vC",
|
|
|
+ "_score": 0.9808291,
|
|
|
"_source": {
|
|
|
- "@timestamp": "2020-12-07T11:06:07.000Z",
|
|
|
- "user": {
|
|
|
- "id": "8a4f500d"
|
|
|
+ "@timestamp": "2099-11-15T14:12:12",
|
|
|
+ "http": {
|
|
|
+ "request": {
|
|
|
+ "method": "get"
|
|
|
+ },
|
|
|
+ "response": {
|
|
|
+ "bytes": 1070000,
|
|
|
+ "status_code": 200
|
|
|
+ },
|
|
|
+ "version": "1.1"
|
|
|
},
|
|
|
- "message": "Login successful"
|
|
|
- }
|
|
|
- },
|
|
|
- {
|
|
|
- "_index": "user_logs_000001",
|
|
|
- "_id": "3",
|
|
|
- "_score": 0.49917626,
|
|
|
- "_source": {
|
|
|
- "@timestamp": "2020-12-07T11:07:08.000Z",
|
|
|
- "user": {
|
|
|
- "id": "l7gk7f82"
|
|
|
+ "message": "GET /search HTTP/1.1 200 1070000",
|
|
|
+ "source": {
|
|
|
+ "ip": "127.0.0.1"
|
|
|
},
|
|
|
- "message": "Logout successful"
|
|
|
- }
|
|
|
- },
|
|
|
- {
|
|
|
- "_index": "user_logs_000001",
|
|
|
- "_id": "1",
|
|
|
- "_score": 0.42081726,
|
|
|
- "_source": {
|
|
|
- "@timestamp": "2020-12-06T11:04:05.000Z",
|
|
|
"user": {
|
|
|
- "id": "vlb44hny"
|
|
|
- },
|
|
|
- "message": "Login attempt failed"
|
|
|
+ "id": "kimchy"
|
|
|
+ }
|
|
|
}
|
|
|
}
|
|
|
]
|
|
|
}
|
|
|
}
|
|
|
----
|
|
|
-// TESTRESPONSE[s/"took": 1/"took": "$body.took"/]
|
|
|
+// TESTRESPONSE[s/"took": 5/"took": "$body.took"/]
|
|
|
+// TESTRESPONSE[s/"_id": "kxWFcnMByiguvud1Z8vC"/"_id": "$body.hits.hits.0._id"/]
|
|
|
|
|
|
[discrete]
|
|
|
[[search-multiple-indices]]
|
|
|
@@ -194,22 +197,21 @@ score>> that measures how well each document matches the query.
|
|
|
To search multiple data streams and indices, add them as comma-separated values
|
|
|
in the search API request path.
|
|
|
|
|
|
-The following request searches the `user_logs_000001` and `user_logs_000002`
|
|
|
+The following request searches the `my-index-000001` and `my-index-000002`
|
|
|
indices.
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-GET /user_logs_000001,user_logs_000002/_search
|
|
|
+GET /my-index-000001,my-index-000002/_search
|
|
|
{
|
|
|
"query": {
|
|
|
"match": {
|
|
|
- "message": "login successful"
|
|
|
+ "user.id": "kimchy"
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
----
|
|
|
-// TEST[continued]
|
|
|
-// TEST[s/^/PUT user_logs_000002\n/]
|
|
|
+// TEST[s/^/PUT my-index-000002\n/]
|
|
|
|
|
|
You can also search multiple data streams and indices using a wildcard (`*`)
|
|
|
pattern.
|
|
|
@@ -223,12 +225,11 @@ GET /user_logs*/_search
|
|
|
{
|
|
|
"query": {
|
|
|
"match": {
|
|
|
- "message": "login successful"
|
|
|
+ "user.id": "kimchy"
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
----
|
|
|
-// TEST[continued]
|
|
|
|
|
|
To search all data streams and indices in a cluster, omit the target from the
|
|
|
request path. Alternatively, you can use `_all` or `*`.
|
|
|
@@ -241,7 +242,7 @@ GET /_search
|
|
|
{
|
|
|
"query": {
|
|
|
"match": {
|
|
|
- "message": "login successful"
|
|
|
+ "user.id": "kimchy"
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
@@ -250,19 +251,20 @@ GET /_all/_search
|
|
|
{
|
|
|
"query": {
|
|
|
"match": {
|
|
|
- "message": "login successful"
|
|
|
+ "user.id": "kimchy"
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
|
|
|
GET /*/_search
|
|
|
{
|
|
|
- "query" : {
|
|
|
- "match" : { "message" : "login" }
|
|
|
+ "query": {
|
|
|
+ "match": {
|
|
|
+ "user.id": "kimchy"
|
|
|
+ }
|
|
|
}
|
|
|
}
|
|
|
----
|
|
|
-// TEST[continued]
|
|
|
|
|
|
include::request/from-size.asciidoc[]
|
|
|
|
James Rodewig