0

I have a query that runs from code (with an external library), and now I am trying to run it directly from the terminal, using the curl command:

This is the original query:

{
    "index": [
        "logstash-*2021.08.21*",
        "logstash-*2021.08.22*"
    ],
    "ignore_unavailable": true,
    "allow_no_indices": true,
    "type": "doc",
    "body": {
        "query": {
            "bool": {
                "must": [
                    {
                        "range": {
                            "@timestamp": {
                                "gte": "now-24H/H"
                            }
                        }
                    }
                ]
            }
        }
    }
}

But running the folwing query from Linux terminal:

curl -u "*******:****************" -XGET "https://XXXXXXXXXXXXXXXXXXXXXXXXXX:9200/logstash- 
*/_search" 
-H 'Content-Type: application/json' 
-d '
 {
    "index": [
        "logstash-*2021.08.21*",
        "logstash-*2021.08.22*"
    ],
    "ignore_unavailable": true,
    "allow_no_indices": true,
    "type": "doc",
    "body": {
        "query": {
            "bool": {
                "must": [
                    {
                        "range": {
                            "@timestamp": {
                                "gte": "now-24H/H"
                            }
                        }
                    }
                ]
            }
        }
    }
}
'

returns error:

{"error":{"root_cause":[{"type":"parsing_exception","reason":"Unknown key for a START_ARRAY in [index].","line":1,"col":10}],"type":"parsing_exception","reason":"Unknown key for a START_ARRAY in [index].","line":1,"col":10},"status":4

It is worth noting that running the folwing query without additional parameters, returns correct results:

curl -u "elastic:****************" -XGET "https://XXXXXXXXXXXXXXXXXXXXXXXXXX:9200/logstash-*/_search"

What do I need to change in the terminal query?

Improve this question

2 Answers 2

Reset to default
1

The error occurrs because the search API does not specify an indices request body option. Maybe your external library wraps the requests to Elasticsearch, hence you can provide this option.

With

-XGET "https://XXX:9200/logstash-*/_search"

you already specified that you want to search in all indices matching logstash-*.

Take a look at the documentation here for all possible request and url parameters: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html

If you need to search multiple indices you need to follow the instructions in this guide: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-multiple-indices.html

But since you already have provided an index-pattern in the URL, I don't know if this is still necessary.

Also:

There is no body and type fields allowed in the request body. So after removing the indices array these will be the next errors that Elasticsearch will complain about.

I hope I could help you.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Using apt-get-install-skill tips, I changed the query to:

curl -u "*******:****************" -XGET --globoff "https://XXXXXXXXXXXXXXXXXXXXXXXXXX:9200/logstash-*2021.08.21*,logstash-*2021.08.22*/_search?ignore_unavailable=true&allow_no_indices=true" -H 'Content-Type: application/json' -d'{"query":{"range":{"@timestamp":{"gte":"now-24H/H"}}}}'

It works. Thanks

Improve this answer

2 Comments

Glad I could help you. Would you mind accepting my answer?
No, you upvoted the answer but not marked it as accepted via the tickmark ..

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.