I want to search objects in Elasticsearch which are combination of two index.
Is there a way to search on two index with specific condition on them?
for example:
I have an index siem-referencedata-list with lists' metadata. each documents have a subset index base on its id (siem-referencedata-list-documentsId)
how could I set a query that check siem-referencedata-list and its subsets?
I have below query for siem-referencedata-list
POST siem-referencedata-list/_search
{
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"query_string": {
"default_field": "list.name",
"query": "*list1*",
"default_operator": "OR"
}
}
]
}
},
{
"bool": {
"should": [
{
"query_string": {
"default_field": "list.type",
"query": "*Keyword*",
"default_operator": "OR"
}
}
]
}
}
]
}
}
}
and also I have below query for indexes base on above documents' id (`siem-referencedata-list-*)
POST siem-referencedata-list-*/_search
{
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"query_string": {
"query": "*30.3.30.3*"
}
}
]
}
}
]
}
}
}
How can I set a query to combine them?
search items on siem-referencedata-list and also on siem-referencedata-list-* and result items that are both results.
I set two different query and get two different arrays. How can I get intersection of these two arrays?
this is a workaround add a property to documents in this specific index "siem-referencedata-list" while indexing
and use that property to query the documents
I added specific word column- into documents of indexes "siem-referencedata-list-*" and I separated query function of "siem-referencedata-list" and its subsets..
POST siem-referencedata-list/_search
{
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"query_string": {
"query": "*list1*",
"fields": ["column-*"]
}
}
]
}
}
]
}
}
}
Related
I have already various queries that collect data and show it in the Kibana dashboard.
Now I would like to get unique values from my result data. How can I write the query DSL for that.
Basically I would like to get unique value for the field contextMap.connectionid. Is there a way do achieve that using something similar to this example?
{
"query": {
"bool": {
"must": [
{
"nested": {
"path": "app",
"query": {
"bool": {
"must": [
{
"match": {
"app.key": "contextMap.connectionid"
}
}
]
}
}
}
}
]
}
}
}
You can calculate distinct count with the help of aggregation .
So, your search query is :
Search Query :
{
"query": {
"bool": {
"must": [
{
"nested": {
"path": "app",
"query": {
"bool": {
"must": [
{
"match": {
"app.key": "contextMap.connectionid"
}
}
]
}
}
}
}
]
}
},
"aggs": {
"uniqueconnectionId": {
"terms": {
"field": "contextMap.connectionid.keyword"
}
}
}
}
You can refer here for calculating distinct values of a field https://discuss.elastic.co/t/get-distinct-values-from-a-field-in-elasticsearch/99783
I have this query:
{
"query": {
"bool": {
"must": [
{
"match": {
"egyik": {
"query": "piros alma"
}
}
},
{
"match": {
"masik": {
"query": "piros alma"
}
}
}
]
}
}
}
It's not too beautiful, because the query parameter occured twice, therefore I tried to rewrite it with the multi_match syntax:
{
"query": {
"bool": {
"must": {
"multi_match": {
"query": "piros alma",
"fields": [
"egyik",
"masik"
]
}
}
}
}
}
But it returns more hits than the first. I tried operator, minimum_should_match modifiers, but not helps. How do I solve the same result with multi_match?
As far as I know, all types of multi-match queries return a hit when the provided query matches any of the listed fields (see Elastic docs). Therefore, the reason why you have more hists with multi_match is that you can't enforce the same boolean condition you have with your first query. That said, I don't see anything wrong with repeating the same query parameter twice. If you want to generalise it a bit, you might want to consider using Search Templates
By default operator OR is used, which means query term can be present in any field, if you want query term to be present in all the fields then you can explicitly define operator field with AND value.
{
"query": {
"bool": {
"must": {
"multi_match": {
"query": "piros alma",
"fields": [
"egyik",
"masik"
],
"operator":"and"
}
}
}
}
}
To know more you can go through this
Meanwhile I found the solution:
{
"query": {
"bool": {
"must": {
"multi_match": {
"query": "piros alma",
"fields": [
"egyik",
"masik"
],
"type": "cross_fields",
"operator": "and"
}
}
}
}
}
Need the type and operator together.
I want to search 2 values in 2 different columns using wildcard but its not running as expected with 2 values but runs fine on single query_string
This works with single column
{
"query": {
"query_string" : {
"default_field" : "Phone",
"query" : "*568072*"
}
}
}
I tried to expand it to use it with 2 columns with 2 different values.
{
"query":
{
"bool":
{
"should": [
{
"query_string":
{
"query": "*Chicago*",
"fields": ["Sources"]
},
"query_string":
{
"query": "*493*",
"fields": ["Phone"]
}
}
]
}
}
}
Where am I wrong ?
You have a mistake in your query. You have one big object inside should array, that has two same keys that does not make sense. Instead it should be array of objects like this:
{
"query": {
"bool": {
"should": [
{ "query_string": { "query": "*Chicago*", "fields": ["Sources"] } },
{ "query_string": { "query": "*493*", "fields": ["Phone"] } }
]
}
}
}
When querying Elastic with:
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "data.payload.NSFILEID.num:1492141378",
"analyze_wildcard": true
}
}
]
}
}
I get docs with data.payload.NSFILEID.num = 1492141378 and close ones.
Same behaviour with:
{
"query": {
"term": {
"data.payload.NSFILEID.num": 1492141378
}
}
}
This field is indexed as number.
How could I get only exact ones?
I am using the query string query and default operator OR
here is my query
GET prasad/_search
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "*96 prasad*"
, "default_operator": "OR"
}
}
]
}
}
}
I have data in my document as 96315 but this query is not hitting this document.Hits are null.When we use OR operator then it means either 96 OR prasad should in there in document (_all)?
This worked for me
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "*96* *prasad*"
, "default_operator": "OR"
}
}
]
}
}
}