Mapping MAC address to elasticsearch index using jdbc rivers

Question

Mapping MAC address to elasticsearch index using jdbc rivers

We have a type that contains a MAC address field. data is provided using river jdbc

The reason is that when you start aggregating terms on the mac_address field, the results look like the field is split into indexed keys:

Act:

GET index/type/_search?search_type=count
{
    "aggs" : { 
        "uniqe_macs" : { 
            "terms" : {
              "field" : "mac_address" 
            }
        }
    }
}

Result:

  "aggregations": {
     "uniqe_visitors": {
        "buckets": [
           {
              "key": "00",
              "doc_count": 1608759
           },
           {
              "key": "10",
              "doc_count": 674633
           },
           {
              "key": "18",
              "doc_count": 588591
           },
           {
              "key": "f0",
              "doc_count": 544897
           },
           {
              "key": "60",
              "doc_count": 538841
           },
           {
              "key": "40",
              "doc_count": 529085
           },
           {
              "key": "08",
              "doc_count": 523681
           },
           {
              "key": "d0",
              "doc_count": 515774
           },
           {
              "key": "54",
              "doc_count": 514771
           },
           {
              "key": "04",
              "doc_count": 509629
           }
        ]
     }
    }

What can you do to force the elasticity to display this field instead of breaking it down into keys?

+3

elasticsearch elasticsearch-jdbc-river

Ben diamant 09 Sep 14 at 12:56

source to share

2 answers

It was easier for me to define a raw multifield for mac_adress

and set it to not_analyzed

as described here . While this did not work for old data, there is no need to change the index with the new parser.

curl -XPUT http://localhost:9200/INDEX/TYPE/_mapping -d'

{
    "TYPE" : {
        "properties" : {
            "mac_address" : {
                "type" : "string",
                "fields":{
                    "raw" : {
                      "type": "string",
                      "index": "not_analyzed"
                    }
                  }
            }
        }
    }
}'

Then for the aggregation you just need to use the field mac_address.raw

:

curl -XPOST http://localhost:9200/INDEX/TYPE/_search?search_type=count -d'

{
    "aggs" : { 
        "unique_macs" : { 
            "terms" : {
              "field" : "mac_address.raw" 
            }
        }
    }
}'

0

kahlo 03 jan. 15 at 11:50

source to share

prayagupd · Accepted Answer · 2014-09-09T13:07:18+0000

Can you try the following mapping, custom parser on es field mac_address

.

Define Analyzer

curl -XPUT http://localhost:9200/INDEX  -d '
{
    "settings" : {
        "analysis" : {
            "analyzer" : {
                "my_edge_ngram_analyzer" : {
                    "tokenizer" : "my_edge_ngram_tokenizer"
                }
            },
            "tokenizer" : {
                "my_edge_ngram_tokenizer" : {
                    "type" : "edgeNGram",
                    "min_gram" : "2",
                    "max_gram" : "17"
                }
            }
        }
    }
}'

Apply mapping

curl -XPUT http://localhost:9200/INDEX/TYPE/_mapping  -d '
{
    "TYPE": {
        "properties" {
            "mac_address": {
                "type": "string",
                "index_analyzer" : "my_edge_ngram_analyzer",
                "search_analyzer": "keyword"
            }
        }
    }
}'

Mapping MAC address to elasticsearch index using jdbc rivers

More articles: