Combining Queries with Compound Searching in Elasticsearch 7.13

1.5 hours
  • 3 Learning Objectives

About this Hands-on Lab

For more complicated queries, you need to be able to combine many different search functions together. You can do this with compound search functions in Elasticsearch. In this hands-on lab, you will leverage compound search functions and boolean logic to write and combine term-level and full-text queries into a single search request.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Craft a Query That Answers the Question: How Many Web Requests Originate from Either US or CN Where the Response Was Not 200?

From the Kibana console, craft a compound query on the logs dataset that answers the question.

Craft a Query That Answers the Question: How Many Web Requests with a 200 Response and at Least 2 Tags with ‘success’, ‘security’, or ‘info’ Value Are Not from a Machine with a Windows Operating System?

From the Kibana console, craft a compound query on the logs dataset that answers the question.

Craft a Query That Answers the Question: How Many Web Requests Were Made for apm-server RPM or DEB Files by Users Using an OS X Operating System?

From the Kibana console, craft a compound query on the logs dataset that answers the question. Filter down the results to only include files between 1024 and 8192 bytes without effecting relevancy scoring.

Additional Resources

Logging In to the Elastic Environment

  1. Open a new browser tab and navigate to the public IP address of the es1 node provided on the lab page (e.g., http://public_ip).
  2. Log in using the username elastic and password elastic_acg.

Lab Scenario

You work as a system administrator supporting a company website. You've been asked by the IT security team to query the logs dataset in order to provide the following:

  • Find all web requests originating from either US or CN where the response was not 200.
  • Find all web requests with a 200 response that has at least 2 tags with success, security, or info value and is not from a machine with a Windows operating system.
  • Find all web requests made for apm-server RPM or DEB files by users using an OS X operating system. Filter down the results to only include files between 1024 and 8192 bytes without affecting relevancy scoring.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?