add example with search query match before aggregate

[robomotic]

Hi there,
I am struggling to make a simple match query via the Search class.
This is okay:

filebeat = indices['filebeat-7.14.0-2021.08.24-000001']
search = filebeat.search().size(1).groupby('alerts_day', 'date_histogram', fixed_interval='1d', field='@timestamp',format="yyyy-MM-dd")

search.to_dict()

But I only want to filter to a subset.

filebeat = indices['filebeat-7.14.0-2021.08.24-000001']
q = {'query': {'match': {'log.file.path':'first-org-conf-2015-eve.json'}}}
search = filebeat.search().filter('term',log.file.path='first-org-conf-2015-eve.json').size(1).groupby('alerts_day', 'date_histogram', fixed_interval='1d', field='@timestamp',format="yyyy-MM-dd")

search.to_dict()

This generates an error.

Where do I add the match syntax? Should I do via filter but how?

[alk-lbinet]

Hi @robomotic,
The error is caused by filter('term', log.file.path='xxx') since python doesn't accept dots '.' in functions named keywords (ie you can do some_thing="xxx" but not some.thing="xxx").

Here are the workarounds:

# replace '.' by '__', it will be automatically converted in '.'
.filter('term', log__file__path='first-org-conf-2015-eve.json')

# use the "native" query syntax
.filter('term', {"log.file.path": 'first-org-conf-2015-eve.json'})

# use the pandagg query classes
from pandagg.query import Term
.filter(Term(field="log.file.path", value='first-org-conf-2015-eve.json'))

cheers
Léonard

[alk-lbinet]

I leave the issue open until documentation is clear on this point (main focus in the coming month).

[priamai]

That worked and yes would love to have a better documentation!
Also would be nice to show how to iterate through an index

indices = discover(es_client, "filebeat-*")
for index in indices: ???

It is not an iterable so some example is required.

[alk-lbinet]

@priamai can you create a dedicated issue for that thx :) (feature request)