You can use a top_hits aggregation that groups on the country field, returns 1 doc per group, and orders the docs by the collected date descending: POST /test/_search?search_type=count { “aggs”: { “group”: { “terms”: { “field”: “country” }, “aggs”: { “group_docs”: { “top_hits”: { “size”: 1, “sort”: [ { “collected”: { “order”: “desc” } } … Read more
If you are using the default analyzer (standard) there is nothing for it to analyze if it is an empty string. So you need to index the field verbatim (not analyzed). Here is an example: Add a mapping that will index the field untokenized, if you need a tokenized copy of the field indexed as … Read more
No, you can’t do this using the builtin versioning. All that does is to store the current version number to prevent you applying updates out of order. If you wanted to keep multiple versions available, then you’d have to implement that yourself. Depending on how many versions you are likely to want to store, you … Read more
In ElasticSearch >= 5 the documentation has changed, which means none of the above answers worked for me. I tried changing ES_HEAP_SIZE in /etc/default/elasticsearch and in /etc/init.d/elasticsearch, but when I ran ps aux | grep elasticsearch the output still showed: /usr/bin/java -Xms2g -Xmx2g # aka 2G min and max ram I had to make these … Read more
must means: The clause (query) must appear in matching documents. These clauses must match, like logical AND. should means: At least one of these clauses must match, like logical OR. Basically they are used like logical operators AND and OR. See this. Now in a bool query: must means: Clauses that must match for the … Read more
You can try to increase the fielddata circuit breaker limit to 75% (default is 60%) in your elasticsearch.yml config file and restart your cluster: indices.breaker.fielddata.limit: 75% Or if you prefer to not restart your cluster you can change the setting dynamically using: curl -XPUT localhost:9200/_cluster/settings -d ‘{ “persistent” : { “indices.breaker.fielddata.limit” : “40%” } }’ … Read more
For Kibana 4 go to this answer This is easy to do with a terms panel: If you want to select the count of distinct IP that are in your logs, you should specify in the field clientip, you should put a big enough number in length (otherwise, it will join different IP under the … Read more
One of our applications uses data that is stored into both Cassandra and ElasticSearch. We use Cassandra to access those records whenever we can, and have data duplicated into query tables designed to adhere to specific application-side requests. For a more liberal search than our query tables can allow, ElasticSearch performs that functionality nicely. We … Read more
There are many possible reason why allocation won’t occur: You are running different versions of Elasticsearch on different nodes You only have one node in your cluster, but you have number of replicas set to something other than zero. You have insufficient disk space. You have shard allocation disabled. You have a firewall or SELinux … Read more
Assuming you are using the Standard Analyzer GET becomes get when stored in the index. The source document will still have the original “GET”. The match query will apply the same standard analyzer to the search term and will therefore match what is stored in the index. The term query does not apply any analyzers … Read more