Skip to content

elasticsearch search

Search with a given query

Description

Returns search hits that match the query in the request

Synopsis

elasticsearch search
    [--site <site>]
    [--cluster <cluster>]
    [--target <target>]
    [--from <from>]
    [--size <size>]
    [--sort <sort>]
    --query <query>

Arguments

site - (string)

     Site where this command will be executed
     Example: --site "site-1"
     Default: input.site      Attributes: optional

cluster - (string)

     Name of elastic search cluster
     Example: --cluster "elastic-default"
     Default: elastic-default      Attributes: optional

target - (string)

     List of data streams, indices, and index aliases used to limit the request
     Example: --target "students or _all"
     Default: _all      Attributes: optional, multiple allowed

from - (int)

     Starting document offset
     Example: --from 1
     Default: 0      Attributes: optional

size - (int)

     Defines the number of hits to return
     Example: --size 1
     Default: 10      Attributes: optional

sort - (string)

     List of : pairs
     Example: --sort ""name":"asc","age":"desc""
     Default: _None_      Attributes: optional, multiple allowed

query - (string)

     Query string you wish to parse and use for filtering. Defined using Lucene query string syntax.
     Example: --query "(new york city) OR (big apple)"
     Default: _None_      Attributes: required

Examples

Input: 

! elasticsearch search --cluster "elastic-1" --target "my-index-000001" --query "user.id:kimchy"
Output: 
{
  "took": 1,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 3,
      "relation": "eq"
    },
    "max_score": 0.6931471,
    "hits": [
      {
        "_index": "my-index-000001",
        "_type": "_doc",
        "_id": "5qCjO3wBAue9X_A2Q4qK",
        "_score": 0.6931471,
        "_source": {
          "@timestamp": "2099-11-15T13:12:00",
          "message": "GET /search HTTP/1.1 200 1070000",
          "user": {
            "id": "kimchy"
          }
        }
      },
      {
        "_index": "my-index-000001",
        "_type": "_doc",
        "_id": "o74aUXwBYiwTRml6JRUV",
        "_score": 0.6931471,
        "_source": {
          "@timestamp": "2099-11-15T13:12:00",
          "message": "GET /search HTTP/1.1 200 1070000",
          "user": {
            "id": "kimchy"
          }
        }
      },
      {
        "_index": "my-index-000001",
        "_type": "_doc",
        "_id": "3",
        "_score": 0.6931471,
        "_source": {
          "@timestamp": "2099-11-15T13:12:00",
          "message": "GET /search HTTP/1.1 200 1070000",
          "user": {
            "id": "kimchy"
          }
        }
      }
    ]
  }
}

Access Control

To use this command, you need access to the following:

Field Value
Action "read"
Service Type "elasticsearch"
Service Instance cluster
Namespace
Object Type "index"
Object ID target

Please see Access Control for details.