3

I can't figure out what's wrong in my ES query. I want to filter on a specific field, and also sort by other field.

Request:

GET /_search
{
    "query" : {
        "term": {
          "_type" : "monitor"
        },
        "filtered" : {
            "filter" : { "term" : { "ProcessName" : "myProc" }}
        }
    },
    "sort": { "TraceDateTime": { "order": "desc", "ignore_unmapped": "true" }}
}

Response:

{
   "error": {
      "root_cause": [
         {
            "type": "parse_exception",
            "reason": "failed to parse search source. expected field name but got [START_OBJECT]"
         }
      ],
      "type": "search_phase_execution_exception",
      "reason": "all shards failed",
      "phase": "query",
      "grouped": true,
      "failed_shards": [
         {
            "shard": 0,
            "index": ".kibana",
            "node": "94RPDCjhQh6eoTe6XoRmSg",
            "reason": {
               "type": "parse_exception",
               "reason": "failed to parse search source. expected field name but got [START_OBJECT]"
            }
         }
      ]
   },
   "status": 400
}
ohadinho
  • 6,894
  • 16
  • 71
  • 124

1 Answers1

2

You have a syntax error in your query, you need to enclose both of your term queries inside a bool/must compound query, it needs to be like this:

POST /_search
{
  "query": {
    "filtered": {
      "filter": {
        "bool": {
          "must": [
            {
              "term": {
                "ProcessName": "myProc"
              }
            },
            {
              "term": {
                "_type": "monitor"
              }
            }
          ]
        }
      }
    }
  },
  "sort": {
    "TraceDateTime": {
      "order": "desc",
      "ignore_unmapped": "true"
    }
  }
}

PS: Always use POST when sending a payload in your query.

Val
  • 207,596
  • 13
  • 358
  • 360
  • hi val, now I'm getting this response: { "took": 1, "timed_out": false, "_shards": { "total": 2, "successful": 2, "failed": 0 }, "hits": { "total": 0, "max_score": null, "hits": [] } } Although the "ProcessName" value does exists. If I eliminate the first term - it finds all documents. – ohadinho Apr 07 '16 at 14:16
  • 1
    Try `myproc` in lowercase instead. It's most likely because your `ProcessName` field is analyzed. – Val Apr 07 '16 at 14:16
  • WORKS ! Thanks maestro ! – ohadinho Apr 07 '16 at 14:21
  • another little question: the docs says I should use get for search: https://www.elastic.co/guide/en/elasticsearch/guide/current/_sorting.html why should we use POST ? – ohadinho Apr 07 '16 at 14:31
  • 1
    The doc is not always 100% correct. See this: http://stackoverflow.com/questions/34795053/es-keeps-returning-every-document/34796014#34796014 – Val Apr 07 '16 at 14:32