Hello I have an Elasticsearch instance (8.5.3) on cloud. One of the sample log entry is
{
"_index": ".ds-logs-elastic_agent-default-2022",
"_id": "oc_PEIUBM9Mtr",
"_score": "null",
"_source": {
"agent": {
"name": "L51",
"id": "df5fe808-af86",
"ephemeral_id": "1a26250c-3c20",
"type": "filebeat",
"version": "8.5.2"
},
"log": {
"file": {
"path": "C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-c13f91\\logs\\elastic-agent-20221208-3.ndjson"
},
"offset": 210000
},
"elastic_agent": {
"id": "df5fe808-af8",
"version": "8.5.2",
"snapshot": "false"
},
"message": "Source URI changed from \"https://artifacts.elastic.co/downloads/\" to \"https://artifacts.elastic.co/downloads/\"",
"input": {
"type": "filestream"
},
"log.origin": {
"file.line": 138,
"file.name": "artifact/config.go"
},
"@timestamp": "2022-12-14T13:23:01.182Z",
"ecs": {
"version": "8.0.0"
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "elastic_agent"
},
"host": {
"hostname": "L51",
"os": {
"build": "190.21",
"kernel": "10.0.19.51 (WinBuild.160101.0800)",
"name": "Windows 10 Home Single Language",
"type": "windows",
"family": "windows",
"version": "10.0",
"platform": "windows"
},
"ip": [
"fe80::52f2",
"16.25.20.7",
],
"name": "L51",
"id": "d4d7",
"mac": [
"00-09-0F",
],
"architecture": "x86_64"
},
"log.level": "info",
"event": {
"agent_id_status": "verified",
"ingested": "2022-12-14T13:25:32Z",
"dataset": "elastic_agent"
}
},
"sort": [484]
}
Now i want to write a query to access the 'type' field under 'agent' which is 'filebeat' over here and pass it onto query so that Elasticsearch displays all the filebeat type log entries. So far I can access '_id' field with the following query:
GET /_search
{
"query": {
"term": {
"_id": {
"value": "oc_PEIUBM9Mtr"
}
}
}
}
However, I have no idea how to obtain inner field 'type' and pass it onto query. Please help.
CodePudding user response:
Simply like this:
GET /_search
{
"query": {
"term": {
"agent.type": {
"value": "filebeat"
}
}
}
}