Menu
Can I search elasticsearch (version 2.3) and in the search query sort by more than 1 field? Right now i'm sorting by @timestamp and I would like to sort by hostname as well.
Thanks,
757
Elasticsearch supports sorting by array or multi-valued fields. The mode option controls what array value is picked for sorting the document it belongs to.
Back in the earliest days of Elasticsearch, a _timestamp mapping field was available for an index. While this functionality has been deprecated since version 2.0, this certainly doesn’t mean that you can no longer index a document with a timestamp.
Keep in mind that the default number of results to return is 10, which is why not all results show up in the output; you can add the "size" parameter to your query to specify how many results you’d like to get back. Analyzed fields in Elasticsearch allow for broader searching on partial matches, but they can make sorting a tricky task.
This is because Elasticsearch has no dedicated array type, and any field could contain multiple values. The fields parameter also does not guarantee that array values are returned in a specific order. See the mapping documentation on arrays for more background.
As the doc says, you can add one or more sort on specific fields like this:
"sort" : [{ "@timestamp" : "desc" },
{ "hostname " : "desc" }]
{
"query": {
"range": {
"@timestamp": {
"gte": "@timestamp",
"lte": "@timestamp"
}
}
},
"from": 0,
"size": 1000,
"_source": [
"@timestamp",
],
"sort": [{
"@timestamp": {
"order": "desc"
}
},
{
"age": "desc"
}
]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
