0

I created my first AWS ElasticSearch cluster and uploaded some data to it (shown below).

When I search for a domain such as example.com, I get zero results.

Is this a search query or indexing issue?

# curl -XGET -u username:password 'https://xxxxx.us-east-1.es.amazonaws.com/hosts/_search?q=example.com&pretty=true'
{
  "took" : 7,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 0,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  }
}

I confirmed that a match_all query does return all the records.

match_all

{
  "took" : 3,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 3,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "hosts",
        "_type" : "_doc",
        "_id" : "KK0PcnMBqk4TBzxZPeGU",
        "_score" : 1.0,
        "_source" : {
          "name" : "mail.stackoverflow.com",
          "type" : "a",
          "value" : "10.0.0.3"
        }
      },
      {
        "_index" : "hosts",
        "_type" : "_doc",
        "_id" : "J60PcnMBqk4TBzxZPeGU",
        "_score" : 1.0,
        "_source" : {
          "name" : "ns1.guardian.co.uk",
          "type" : "a",
          "value" : "10.0.0.2"
        }
      },
      {
        "_index" : "hosts",
        "_type" : "_doc",
        "_id" : "Ka0PcnMBqk4TBzxZPeGU",
        "_score" : 1.0,
        "_source" : {
          "name" : "test.example.com",
          "type" : "a",
          "value" : "10.0.0.4"
        }
      }
    ]
  }
}

Bulk Upload Command

curl -XPUT -u username:password https://xxxxx.us-east-1.es.amazonaws.com/_bulk --data-binary @bulk.json -H 'Content-Type: application/json'

bulk.json

{ "index" : { "_index": "hosts" } }
{"name":"ns1.guardian.co.uk","type":"a","value":"10.0.0.2"}
{ "index" : { "_index": "hosts" } }
{"name":"mail.stackoverflow.com","type":"a","value":"10.0.0.3"}
{ "index" : { "_index": "hosts" } }
{"name":"test.example.com","type":"a","value":"10.0.0.4"}
Improve this question
1

1 Answer 1

Reset to default
1

You can use the Path hierarchy tokenizer that takes a hierarchical value like a filesystem path, splits on the path separator, and emits a term for each component in the tree.

Index Mapping:

{
  "settings": {
    "analysis": {
      "analyzer": {
        "path-analyzer": {
          "type": "custom",
          "tokenizer": "path-tokenizer"
        }
      },
      "tokenizer": {
        "path-tokenizer": {
          "type": "path_hierarchy",
          "delimiter": ".",
          "reverse": "true"
        }
      }
    }
  },
  "mappings": {
    "properties": {
      "name": {
        "type": "text",
        "analyzer": "path-analyzer",
        "search_analyzer": "keyword"
      }
    }
  }
}

Analyze API

In the index mapping above,reverse is set to true which will emit the tokens in reverse order. (reverse is by default set to false)

POST /hosts/_analyze
{
  "analyzer": "path-analyzer",
  "text": "test.example.com"
}

This will produce three tokens:

{
"tokens": [
    {
        "token": "test.example.com",
        "start_offset": 0,
        "end_offset": 16,
        "type": "word",
        "position": 0
    },
    {
        "token": "example.com",
        "start_offset": 5,
        "end_offset": 16,
        "type": "word",
        "position": 0
    },
    {
        "token": "com",
        "start_offset": 13,
        "end_offset": 16,
        "type": "word",
        "position": 0
    }
]

}

Search Query:

    {
  "query": {
    "term": {
      "name": "example.com"
    }
  }
}

Search Result:

"hits": [
  {
    "_index": "hosts",
    "_type": "_doc",
    "_id": "d67gdHMBcF4W0YVjq8ed",
    "_score": 1.3744103,
    "_source": {
      "name": "test.example.com",
      "type": "a",
      "value": "10.0.0.4"
    }
  }
]
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

@A_B did you get a chance to go through my answer, looking forward to get feedback from you ?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.