Hands-On Elasticsearch

First Queries

First of all, start here.

Full text search

Kibana:

error

Query:

GET logstash-*/_search
{
  "query": {
    "bool": {
      "must": [
        { "multi_match": 
          { "query": "error" }
        }
      ]
    }
  }
}

Task: Try to search for “media”. Then search for “medi”. What does this tell us?

Specify a field

Kibana:

@tags: error

Query:

GET logstash-*/_search
{
  "query": {
    "bool": {
      "must": [
        { "match": 
          { "@tags": "error" }
        }
      ]
    }
  }
}

And-ing Things

Kibana:

@tags: error && machine.os: ios

Query:

GET logstash-*/_search
{
  "query": {
    "bool": {
      "must": [
        { "match":{ "@tags": "error" } },
        { "match": { "machine.os": "ios" } }
      ]
    }
  }
}

NOT

Kibana:

@tags: error && -machine.os: ios

Query:

GET logstash-*/_search
{
  "query": {
    "bool": {
      "must": [
        { "match":{ "@tags": "error" } }
      ],
      "must_not": [
        { "match": { "machine.os": "ios" } }
      ]
    }
  }
}

Cheating

If you get stuck and can’t figure out how to convert the Lucene syntax used in Kibana to the json syntax of the REST api, you can cheat like this:

Kibana:

@tags: error && (machine.os: ios || machine.os: "osx")

Query:

GET logstash-*/_search
{
  "query": {
    "bool": {
        "must": [
            {
                "query_string" : {"query":"@tags: error && (machine.os: ios || machine.os: \"osx\")"}
            }
        ]
    }
  }
}

North Dallas Developers Online Curricula

Hands-On Elasticsearch - Part 1

First Queries

Full text search

Specify a field

And-ing Things

NOT

Cheating