Develop Reference

ElasticSearch substring match

Suppose I have a string like
/something/other/123
I want to be able to search 123. For some reason given that the string is indexed as keyword, when I attempt to do
GET /_search
{
"query": {
"wildcard": {"myfield": {"value": "*123"}}
}
}
It gives nothing, why is that?

Wildcard query works on the keyword field. if you have .keyword subfield(if Elasticsearch generated the mapping for your myfield) then below query returns the result.
{
"query": {
"wildcard": {
"myfield.keyword": { --> note .keyword in the field name.
"value": "*123"
}
}
}
}

how to write Elastic search query for exact match for a string

I am using kibanna
I am trying to put filter on a field container_name = "armenian"
but I have other container names with following names
armenian_alpha
armenian_beta
armenian_gama
armenian1
armenian2
after putting the filter , search query in kibanna becomes
{
"query": {
"match": {
"container_name": {
"query": "armenian",
"type": "phrase"
}
}
}
}
But the output searches logs for all containers , as I can see the Elastic search query is using a pattern matching
How can I put an exact match with the string provided and avoid the rest ?

You can try out with term query. Do note that it is case sensitive by default unless you specify with case_insensitive equals to true. Also, if your container_name is a text field type instead of keyword field type, do add the .keyword after the field name. Otherwise, ignore the .keyword.
Example:
GET /_search
{
"query": {
"term": {
"container_name.keyword": {
"value": "armenian"
}
}
}
}
Link here: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-term-query.html

I would recommend using a direct wildcard in query or wildcard as follow
GET /_search
{
"query": {
"match": {
"container_name": {
"query": "*armenian",
"type": "phrase"
}
}
}
}
GET /_search
{
"query": {
"wildcard": {
"container_name": {
"value": "*armenian"
}
}
}
}
With *armenian you are ensuring that armenian comes at the end.

How to use Wildcards in Elastic search query to skip some prefix values

"I am searching in a elasticsearch cluster GET request on the basis of sourceID tag with value :- "/A/B/C/UniqueValue.xml" and search query looks like this:-"
{
"query": {
"bool": {
"must": [
{
"term": {
"source_id": {
"value": "/A/B/C/UniqueValue.xml"
}
}
}
]
}
}
}
"How can i replace "/A/B/C" from any wildcard or any other way as i just have "UniqueValue.xml" as an input for this query. Can some please provide the modified search Query for this requirement? Thanks."

The following search returns documents where the source_id field contains a term that ends with UniqueValue.xml.
{
"query": {
"wildcard": {
"source_id": {
"value": "*UniqueValue.xml"
}
}
}
}
Note that wildcard queries are expensive. If you need fast suffix search, you could add a multi-field to your mapping which includes a reverse token filter. Then you can use prefix queries on that reversed field.

elasticsearch added wildcard fails query

Works as expected:
{
"query": {
"query_string": {
"query": "Hofstetten-Grünau"
}
}
}
an added wildcard at the end delivers no results and I wonder why:
{
"query": {
"query_string": {
"query": "Hofstetten-Grünau*"
}
}
}
how to fix it?
elasticsearch v5.3.2
This delivers results:
{
"query": {
"query_string": {
"query": "Hofstetten*"
}
}
}
I use a single search field. The end user can freely use wildcards as they see fit. A user might type in:
hofstetten grünau
+ort:hofstetten-grünau
+ort:Hofstetten-G*
so using a match query wont work out for me.
I am using Jest (Java Annotations) as Mapping, and using "default" for this field. My index mapping declares nothing special for the field:
{
"mappings": {
"_default_": {
"date_detection": false,
"dynamic_templates": [{
}]
}
}
}

Adding the wildcard "*" at the end of your query string is causing the query analyzer to interpret the dash between "Hofstetten" and "Grünau" as a logical NOT operator. So you're actually searching for documents that contain Hofstetten but do NOT contain Grünau.
You can verify this by doing the following variations of your search:
"query": "Hofstetten-XXXXX" #should not return results
"query": "Hofstetten-XXXXX*" #should return results
To fix this I would recommend using a match query instead of a query_string query:
{"query": {"match": { "city": "Hofstetten-Grünau" }}}'
(with whatever your appropriate field name is in place of city).

multi_match fuzzy query across multiple fields

I am working to match a 'term' to multi fields (or _all field)
I want to do a fuzzy match on cross_fields but it is not supported.
any ideas how to do it or any other ways to do it ?
query: {
multi_match: {
query: term,
type: "cross_fields",
fields: ['_all']
}
}
when trying the solution here
ElasticSearch multi_match query over multiple fields with Fuzziness
I get this error
[parsing_exception] Fuziness not allowed for type [cross_fields], with
{ line=1 & col=128 }
elasticsearch version 5.0
edit:
here is the query I am building
bool: {
must: [
{
fuzzy: {
_all: term
}
},
{
fuzzy: {
"location.country": country
}
},
{
fuzzy: {
"location.city": city
}
}
]
}

cross_fields works by searching the term on your multiple fields. Since fuzziness isn't supported for cross_fields you have to write the query in a different way.
One possible is: implement your own "cross_fields" with shoulds and add there the fuzziness.
Say your term is: "term1 term2", you can split by word boundary (Regex \b) then should them in this form:
{
{
"query": {
"bool": {
"should": [{
"match": {
"field1": "term",
"fuzziness": 1
}
},{
"match": {
"field1": "term",
"fuzziness": 1
}
},{
"match": {
"field2": "term1",
"fuzziness": 1
}
},{
"match": {
"field2": "term12",
"fuzziness": 1
}
}
]
}
}
}
}
This is probably less the optimal if you have many fields, the query will become a cartesian product of the terms and fields.
Important note You're using _all field which is one field. which all other fields are indexed into. Maybe you don't even need cross_fields?