0

here an exemple of my documents

{
    "@timestamp": "2020-04-24T19:36:52.484Z",
    "token": "123",
    "application": "sso_api_v3",
    "ssoapiv3_method": "GET",
    "ssoapiv3_error_description": "Your access token has expired",
    "code": 401,
    "message": "\"message\"",
    "level": 6,
    "facility": "sso_api_v3",
    "type": "gelf"
}
[...]
{
    "@timestamp": "2020-04-24T19:37:52.484Z",
    "token": "123",
    "application": "sso_api_v3",
    "ssoapiv3_method": "GET",
    "ssoapiv3_error_description": "Your access token has expired",
    "code": 200,
    "message": "\"message\"",
    "level": 6,
    "facility": "sso_api_v3",
    "type": "gelf"
}
[...]

I have a huge amount of request and I would like to do a search in order to get documents with the same token but but with code 200 and 401. I can get all 200, all 401 but I'm unable to have this for the same token.

Improve this question

1 Answer 1

Reset to default
1

There are two way to do this.

1. Terms aggregation

Query:

{
  "size": 0, 
   "aggs": {
     "code": {
       "filter": {
         "terms": {
           "code": [
             200,401 --> returns all documengts with code 200 / 401
           ]
         }
       },
       "aggs": {
         "token": { --> creates group of tokens and fetched doc under each
           "terms": {
             "field": "token.keyword",
             "size": 10
           },
           "aggs": {
             "docs": {
               "top_hits": {
                 "size": 10
               }
             }
           }
         }
       }
     }
   }
}

Result:

"aggregations" : {
    "code" : {
      "doc_count" : 1,
      "token" : {
        "doc_count_error_upper_bound" : 0,
        "sum_other_doc_count" : 0,
        "buckets" : [
          {
            "key" : "123",
            "doc_count" : 1,
            "docs" : {
              "hits" : {
                "total" : {
                  "value" : 1,
                  "relation" : "eq"
                },
                "max_score" : 1.0,
                "hits" : [
                  {
                    "_index" : "index9",
                    "_type" : "_doc",
                    "_id" : "16UKynEBAWHHnYGORq-d",
                    "_score" : 1.0,
                    "_source" : {
                      "@timestamp" : "2020-04-24T19:36:52.484Z",
                      "token" : "123",
                      "application" : "sso_api_v3",
                      "ssoapiv3_method" : "GET",
                      "ssoapiv3_error_description" : "Your access token has expired",
                      "code" : 401,
                      "message" : """"message"""",
                      "level" : 6,
                      "facility" : "sso_api_v3",
                      "type" : "gelf"
                    }
                  }
                ]
              }
            }
          }
        ]
      }
    }
  }

2. Field collapsing

Returns top 1 document on a group field. You can get other documents under that group using inner_hits

Query:

{
  "query": {
    "terms": {
      "code": [
        200,
        401
      ]
    }
  },
  "collapse": {
    "field": "token.keyword",
    "inner_hits": {
            "name": "docs", 
            "size": 10, 
            "sort": [{ "@timestamp": "asc" }] 
        }
  }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Unfortunatelyn it does not seems to work, by example I get a token, but I only have 200.What I want is token for which I have some documents with 200, and some with 401.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.