I want to sort my list by true value in a field called trusted.
I have found that the sort option does not support boolean sorting.
How can I achieve this?
If I understood your issue well, I tried to do a test locally on ES version 7.8, and I ingested the following data in my index:
"content": "This is a test",
"trusted": true
"content": "This is a new test",
"trusted": true
"content": "This is not a test",
"trusted": false
Here is the mapping of the index:
"mappings" : {
"properties" : {
"content" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"trusted" : {
"type" : "boolean"
}
}
}
Here is the query when "order" : "desc":
{
"sort": [
{
"trusted": {
"order": "desc"
}
}
]
}
The response:
"hits" : [
{
"_index" : "boolean-sorting",
"_type" : "_doc",
"_id" : "B-YleHQBsTCl1BZvrFdA",
"_score" : null,
"_source" : {
"content" : "This is a test",
"trusted" : true
},
"sort" : [
1
]
},
{
"_index" : "boolean-sorting",
"_type" : "_doc",
"_id" : "CeYleHQBsTCl1BZvtFdJ",
"_score" : null,
"_source" : {
"content" : "This is a new test",
"trusted" : true
},
"sort" : [
1
]
},
{
"_index" : "boolean-sorting",
"_type" : "_doc",
"_id" : "DOYleHQBsTCl1BZvvVfl",
"_score" : null,
"_source" : {
"content" : "This is not a test",
"trusted" : false
},
"sort" : [
0
]
}
]
When "order":"asc", the response is:
"hits" : [
{
"_index" : "boolean-sorting",
"_type" : "_doc",
"_id" : "DOYleHQBsTCl1BZvvVfl",
"_score" : null,
"_source" : {
"content" : "This is not a test",
"trusted" : false
},
"sort" : [
0
]
},
{
"_index" : "boolean-sorting",
"_type" : "_doc",
"_id" : "B-YleHQBsTCl1BZvrFdA",
"_score" : null,
"_source" : {
"content" : "This is a test",
"trusted" : true
},
"sort" : [
1
]
},
{
"_index" : "boolean-sorting",
"_type" : "_doc",
"_id" : "CeYleHQBsTCl1BZvtFdJ",
"_score" : null,
"_source" : {
"content" : "This is a new test",
"trusted" : true
},
"sort" : [
1
]
}
]
Links:
https://www.elastic.co/guide/en/elasticsearch/reference/current/sort-search-results.html
Please let me know If i wrongly answered, I will be glad to help.
Related
I need help for a query.
This is my query and my sample :
GET /product/_search
{
"query": {
"bool" : {
"must" : {
"multi_match" : {
"query": "Torsades",
"fields": [ "ean^10", "name^4", "brand" ]
}
}
}
}
}
[
{
"_index" : "product_2022-05-13-194440",
"_type" : "_doc",
"_id" : "1",
"_score" : 13.78764,
"_source" : {
"country" : 1,
"ean" : "3250391967858",
"name" : "Torsades Semi-complètes BIO - 500G",
"brand" : "Fiorini"
}
},
{
"_index" : "product_2022-05-13-194440",
"_type" : "_doc",
"_id" : "74",
"_score" : 13.78764,
"_source" : {
"country" : null,
"ean" : "3564700009826",
"name" : "Pâtes Torsades - Turini - 500 g",
"brand" : "Turini"
}
},
{
"_index" : "product_2022-05-13-194440",
"_type" : "_doc",
"_id" : "78",
"_score" : 11.964245,
"_source" : {
"country" : null,
"ean" : "3250391967858",
"name" : "Torsades Semi-complètes BIO - 500G - ITM BENCHMARK",
"brand" : "Fiorini"
}
}
]
I want a condition specific and I can't find the solution :
I want :
ALL products for country=1 AND (ALL products for country=null MINUS product.ean IN country=1)
In my sample, I want have 2 hits :
THIS is deleted because EAN in country=1 :
{
"_index" : "product_2022-05-13-194440",
"_type" : "_doc",
"_id" : "78",
"_score" : 11.964245,
"_source" : {
"country" : null,
"ean" : "3250391967858",
"name" : "Torsades Semi-complètes BIO - 500G - ITM BENCHMARK",
"brand" : "Fiorini"
}
}
Someone have a solution ?
EDIT :
I want this result :
[
{
"_index" : "product_2022-05-13-194440",
"_type" : "_doc",
"_id" : "1",
"_score" : 13.78764,
"_source" : {
"country" : 1,
"ean" : "3250391967858",
"name" : "Torsades Semi-complètes BIO - 500G",
"brand" : "Fiorini"
}
},
{
"_index" : "product_2022-05-13-194440",
"_type" : "_doc",
"_id" : "74",
"_score" : 13.78764,
"_source" : {
"country" : null,
"ean" : "3564700009826",
"name" : "Pâtes Torsades - Turini - 500 g",
"brand" : "Turini"
}
}
]
You tried to use Field Collapsing?
GET test/_search
{
"query": {
"bool": {
"must": {
"multi_match": {
"query": "Torsades",
"fields": [
"ean^10",
"name^4",
"brand"
]
}
}
}
},
"collapse": {
"field": "ean.keyword"
}
}
Response:
"hits" : [
{
"_index" : "test",
"_type" : "_doc",
"_id" : "1",
"_score" : 0.5611319,
"_source" : {
"country" : 1,
"ean" : "3250391967858",
"name" : "Torsades Semi-complètes BIO - 500G",
"brand" : "Fiorini"
},
"fields" : {
"ean.keyword" : [
"3250391967858"
]
}
},
{
"_index" : "test",
"_type" : "_doc",
"_id" : "2",
"_score" : 0.5611319,
"_source" : {
"country" : null,
"ean" : "3564700009826",
"name" : "Pâtes Torsades - Turini - 500 g",
"brand" : "Turini"
},
"fields" : {
"ean.keyword" : [
"3564700009826"
]
}
}
]
I'm trying to get autocomplete suggestions from Elasticsearch, but sorted by an internal popularity score that I supply in the data, so that the most popular ones show at the top. My POST looks like this:
curl "http://penguin:9200/node/_search?pretty" --silent --show-error \
--header "Content-Type: application/json" \
-X POST \
-d '
{
"_source" : [
"name",
"popular_score"
],
"sort" : [ "popular_score" ],
"suggest" : {
"my_suggestion" : {
"completion" : {
"field" : "searchbar_suggest",
"size" : 10,
"skip_duplicates" : true
},
"text" : "f"
}
}
}
'
I get back valid autocomplete suggestions, but they aren't sorted by the popular_score field:
{
...
"suggest" : {
"my_suggestion" : [
{
"text" : "f",
"offset" : 0,
"length" : 1,
"options" : [
{
"text" : "2020 Fact Longlist",
"_index" : "node",
"_type" : "_doc",
"_id" : "245105",
"_score" : 1.0,
"_source" : {
"popular_score" : "35",
"name" : "2020 Fact Longlist"
}
},
{
"text" : "Fable",
"_index" : "node",
"_type" : "_doc",
"_id" : "125903",
"_score" : 1.0,
"_source" : {
"popular_score" : "69.33333333333333333333333333333333333333",
"name" : "Fable"
}
},
{
"text" : "Fables",
"_index" : "node",
"_type" : "_doc",
"_id" : "172986",
"_score" : 1.0,
"_source" : {
"popular_score" : "24",
"name" : "Fables"
}
}
...
]
}
]
}
}
My mappings are:
{
"mappings": {
"properties": {
"nodeid": {
"type": "integer"
},
"name": {
"type": "text",
"copy_to": "searchbar_suggest"
},
"popular_score": {
"type": "float"
},
"searchbar_suggest": {
"type": "completion"
}
}
}
}
What am I doing wrong?
I'm trying to make sure that only documents where "relationship_type":"group" is returned but why is "relationship_type: "event" being returned as well with a score similar to "relationship_type":"group"? Also why isn't my source filtering working?
My request on dev-tools
POST get-together/_search?size=5
{
"query": {
"match": { "relationship_type": "group" }
},
"fields": ["relationship_type"],
"_source": false
}
The response, note that I had to put a limit on the size, otherwise it was returning everything for some reason. My source isnt being filtered and the last document doesn't match my query
{
"took" : 0,
"timed_out" : false,
"_shards" : {
"total" : 2,
"successful" : 2,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 20,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "get-together",
"_type" : "_doc",
"_id" : "1",
"_score" : 1.0,
"_source" : {
"relationship_type" : "group",
"name" : "Denver Clojure",
"organizer" : [
"Daniel",
"Lee"
],
"description" : "Group of Clojure enthusiasts from Denver who want to hack on code together and learn more about Clojure",
"created_on" : "2012-06-15",
"tags" : [
"clojure",
"denver",
"functional programming",
"jvm",
"java"
],
"members" : [
"Lee",
"Daniel",
"Mike"
],
"location_group" : "Denver, Colorado, USA"
}
},
{
"_index" : "get-together",
"_type" : "_doc",
"_id" : "2",
"_score" : 1.0,
"_source" : {
"relationship_type" : "group",
"name" : "Elasticsearch Denver",
"organizer" : "Lee",
"description" : "Get together to learn more about using Elasticsearch, the applications and neat things you can do with ES!",
"created_on" : "2013-03-15",
"tags" : [
"denver",
"elasticsearch",
"big data",
"lucene",
"solr"
],
"members" : [
"Lee",
"Mike"
],
"location_group" : "Denver, Colorado, USA"
}
},
{
"_index" : "get-together",
"_type" : "_doc",
"_id" : "3",
"_score" : 1.0,
"_source" : {
"relationship_type" : "group",
"name" : "Elasticsearch San Francisco",
"organizer" : "Mik",
"description" : "Elasticsearch group for ES users of all knowledge levels",
"created_on" : "2012-08-07",
"tags" : [
"elasticsearch",
"big data",
"lucene",
"open source"
],
"members" : [
"Lee",
"Igor"
],
"location_group" : "San Francisco, California, USA"
}
},
{
"_index" : "get-together",
"_type" : "_doc",
"_id" : "5",
"_score" : 1.0,
"_source" : {
"relationship_type" : "group",
"name" : "Enterprise search London get-together",
"organizer" : "Tyler",
"description" : "Enterprise search get-togethers are an opportunity to get together with other people doing search.",
"created_on" : "2009-11-25",
"tags" : [
"enterprise search",
"apache lucene",
"solr",
"open source",
"text analytics"
],
"members" : [
"Clint",
"James"
],
"location_group" : "London, England, UK"
}
},
{
"_index" : "get-together",
"_type" : "_doc",
"_id" : "100",
"_score" : 1.0,
"_routing" : "1",
"_source" : {
"relationship_type" : {
"name" : "event",
"parent" : "1"
},
"host" : [
"Lee",
"Troy"
],
"title" : "Liberator and Immutant",
"description" : "We will discuss two different frameworks in Clojure for doing different things. Liberator is a ring-compatible web framework based on Erlang Webmachine. Immutant is an all-in-one enterprise application based on JBoss.",
"attendees" : [
"Lee",
"Troy",
"Daniel",
"Tom"
],
"date" : "2013-09-05T18:00",
"location_event" : {
"name" : "Stoneys Full Steam Tavern",
"geolocation" : "39.752337,-105.00083"
},
"reviews" : 4
}
}
]
}
}
This is what my mapping for the relationship_typefield looks like
You need to remove the empty line that is between the POST and the JSON query otherwise the query is not taken into account.
In Dev Tools, it should look like this:
POST get-together/_search?size=5
{ <---- no empty line here
"query": {
"match": { "relationship_type": "group" }
},
"fields": ["description"],
"_source": false
}
My elasticSearch query is like:
{
"size": 0,
"aggs": {
"group_by_id": {
"terms": {
"field": "Infos.InstanceInfo.ID.keyword",
"size": 1000
},
"aggs": {
"tops": {
"top_hits": {
"size": 100,
"sort": {
"Infos.InstanceInfo.StartTime": "asc"
}
}
}
}
}
}
}
It works fine, I have a result of this form:
aggregations
=========>group_by_id
==============>buckets
{key:id1}
===============>docs
{doc1.Status:"KO"}
{doc2.Status:"KO"}
{key:id2}
===============>docs
{doc1.Status:"KO"}
{doc2.Status:"OK"}
{key:id3}
===============>docs
{doc1.Status:"KO"}
{doc2.Status:"OK"}
I'm trying to add a filter, so when "OK" the result must be like this:
aggregations
=========>group_by_id
==============>buckets
{key:id2}
===============>docs
{doc1.Status:"KO"}
{doc2.Status:"OK"}
{key:id3}
===============>docs
{doc1.Status:"KO"}
{doc2.Status:"OK"}
and for "KO" :
aggregations
=========>group_by_id
==============>buckets
{key:id1}
===============>docs
{doc1.Status:"KO"}
{doc2.Status:"KO"}
Fields "Startime" & "Status" are at the same level "Infos.InstanceInfo.[...]"
Any idea?
EDIT
Sample docs:
{
"took" : 794,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 10000,
"relation" : "gte"
},
"max_score" : null,
"hits" : [ ]
},
"aggregations" : {
"group_by_id" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 143846,
"buckets" : [
{
"key" : "1000",
"doc_count" : 6,
"tops" : {
"hits" : {
"total" : {
"value" : 6,
"relation" : "eq"
},
"max_score" : null,
"hits" : [
{
"_index" : "azerty",
"_type" : "_doc",
"_id" : "vHFvoXYBVWrYChNi7hB7",
"_score" : null,
"_source" : {
"Infos" : {
"InstanceInfo" : {
"ID" : "1000",
"StartTime" : "2020-12-27T00:43:56.011+01:00",
"status" : "KO"
}
}
},
"sort" : [
1609026236011
]
},
{
"_index" : "azerty",
"_type" : "_doc",
"_id" : "xHFvoXYBVWrYChNi7xAB",
"_score" : null,
"_source" : {
"Infos" : {
"InstanceInfo" : {
"ID" : "1000",
"StartTime" : "2020-12-27T00:43:56.145+01:00",
"status" : "OK"
}
}
},
"sort" : [
1609026236145
]
},
{
"_index" : "azerty",
"_type" : "_doc",
"_id" : "xXFvoXYBVWrYChNi7xAC",
"_score" : null,
"_source" : {
"Infos" : {
"InstanceInfo" : {
"ID" : "1000",
"StartTime" : "2020-12-27T00:43:56.147+01:00",
"status" : "OK"
}
}
},
"sort" : [
1609026236147
]
},
{
"_index" : "azerty",
"_type" : "_doc",
"_id" : "x3FvoXYBVWrYChNi7xAs",
"_score" : null,
"_source" : {
"Infos" : {
"InstanceInfo" : {
"ID" : "1000",
"StartTime" : "2020-12-27T00:43:56.188+01:00",
"status" : "OK"
}
}
},
"sort" : [
1609026236188
]
},
{
"_index" : "azerty",
"_type" : "_doc",
"_id" : "yHFvoXYBVWrYChNi7xAs",
"_score" : null,
"_source" : {
"Infos" : {
"InstanceInfo" : {
"ID" : "1000",
"StartTime" : "2020-12-27T00:43:56.19+01:00",
"status" : "OK"
}
}
},
"sort" : [
1609026236190
]
},
{
"_index" : "azerty",
"_type" : "_doc",
"_id" : "ynFvoXYBVWrYChNi7xBd",
"_score" : null,
"_source" : {
"Infos" : {
"InstanceInfo" : {
"ID" : "1000",
"StartTime" : "2020-12-27T00:43:56.236+01:00",
"status" : "OK"
}
}
},
"sort" : [
1609026236236
]
}
]
}
}
},
{
"key" : "2000",
"doc_count" : 2,
"tops" : {
"hits" : {
"total" : {
"value" : 2,
"relation" : "eq"
},
"max_score" : null,
"hits" : [
{
"_index" : "azerty",
"_type" : "_doc",
"_id" : "7HL_onYBVWrYChNij4Is",
"_score" : null,
"_source" : {
"Infos" : {
"InstanceInfo" : {
"ID" : "2000",
"StartTime" : "2020-12-27T08:00:26.011+01:00",
"status" : "KO"
}
}
},
"sort" : [
1609052426011
]
},
{
"_index" : "azerty",
"_type" : "_doc",
"_id" : "9HL_onYBVWrYChNij4Kz",
"_score" : null,
"_source" : {
"Infos" : {
"InstanceInfo" : {
"ID" : "2000",
"StartTime" : "2020-12-27T08:00:26.146+01:00",
"status" : "KO"
}
}
},
"sort" : [
1609052426146
]
}
]
}
}
},
{
"key" : "3000",
"doc_count" : 6,
"tops" : {
"hits" : {
"total" : {
"value" : 6,
"relation" : "eq"
},
"max_score" : null,
"hits" : [
{
"_index" : "azerty",
"_type" : "_doc",
"_id" : "7nNRpHYBVWrYChNiiruh",
"_score" : null,
"_source" : {
"Infos" : {
"InstanceInfo" : {
"ID" : "3000",
"StartTime" : "2020-12-27T14:09:36.015+01:00",
"status" : "KO"
}
}
},
"sort" : [
1609074576015
]
},
{
"_index" : "azerty",
"_type" : "_doc",
"_id" : "9nNRpHYBVWrYChNii7s5",
"_score" : null,
"_source" : {
"Infos" : {
"InstanceInfo" : {
"ID" : "3000",
"StartTime" : "2020-12-27T14:09:36.166+01:00",
"status" : "OK"
}
}
},
"sort" : [
1609074576166
]
},
{
"_index" : "azerty",
"_type" : "_doc",
"_id" : "93NRpHYBVWrYChNii7s5",
"_score" : null,
"_source" : {
"Infos" : {
"InstanceInfo" : {
"ID" : "3000",
"StartTime" : "2020-12-27T14:09:36.166+01:00",
"status" : "OK"
}
}
},
"sort" : [
1609074576166
]
},
{
"_index" : "azerty",
"_type" : "_doc",
"_id" : "-XNRpHYBVWrYChNii7ti",
"_score" : null,
"_source" : {
"Infos" : {
"InstanceInfo" : {
"ID" : "3000",
"StartTime" : "2020-12-27T14:09:36.209+01:00",
"status" : "OK"
}
}
},
"sort" : [
1609074576209
]
},
{
"_index" : "azerty",
"_type" : "_doc",
"_id" : "-nNRpHYBVWrYChNii7ts",
"_score" : null,
"_source" : {
"Infos" : {
"InstanceInfo" : {
"ID" : "3000",
"StartTime" : "2020-12-27T14:09:36.219+01:00",
"status" : "OK"
}
}
},
"sort" : [
1609074576219
]
},
{
"_index" : "azerty",
"_type" : "_doc",
"_id" : "_HNRpHYBVWrYChNii7ud",
"_score" : null,
"_source" : {
"Infos" : {
"InstanceInfo" : {
"ID" : "3000",
"StartTime" : "2020-12-27T14:09:36.269+01:00",
"status" : "OK"
}
}
},
"sort" : [
1609074576269
]
}
]
}
}
}
]
}
}
}
Assuming the status field is under Infos.InstanceInfo and it's of the keyword mapping, you can utilize the filter aggregation:
{
"size": 0,
"aggs": {
"status_KO_only": {
"filter": { <--
"term": {
"Infos.InstanceInfo.Status": "KO"
}
},
"aggs": {
"group_by_id": {
"terms": {
"field": "Infos.InstanceInfo.ID.keyword",
"size": 1000
},
"aggs": {
"tops": {
"top_hits": {
"size": 100,
"sort": {
"Infos.InstanceInfo.StartTime": "asc"
}
}
}
}
}
}
}
}
}
In this particular case you could've applied the same term query in the query part of the search request without having to use a filter aggregation.
If you want to get both OK and KO in the same request, you can copy/paste the whole status_KO_only aggregation, rename the 2nd one, and voila -- you now have both groups in one request. You can of course have as many differently named (top-level) filter aggs as you like.
Now, when you indeed need multiple filter aggs at once, there's a more elegant way that does not require copy-pasting -- enter the filters aggregation:
{
"size": 0,
"aggs": {
"by_statuses": {
"filters": { <--
"filters": {
"status_KO": {
"term": {
"Infos.InstanceInfo.Status": "KO"
}
},
"status_OK": {
"term": {
"Infos.InstanceInfo.Status": "OK"
}
}
}
},
"aggs": {
"group_by_id": {
"terms": {
"field": "Infos.InstanceInfo.ID.keyword",
"size": 1000
},
"aggs": {
"tops": {
"top_hits": {
"size": 100,
"sort": {
"Infos.InstanceInfo.StartTime": "asc"
}
}
}
}
}
}
}
}
}
Any of the child sub-aggregations will automatically be the buckets of the explicitly declared term filters.
I personally find the copy/paste approach more readable, esp. when constructing such requests dynamically (based on UI dropdowns and such.)
I'm having trouble making a query on elasticsearch 7.3
I create an index as this:
PUT myindex
{
"mappings": {
"properties": {
"files": {
"type": "nested"
}
}
}
}
After I create three documents:
PUT myindex/_doc/1
{
"SHA256" : "94ee059335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22cc2",
"files" : [
{
"filename" : "firstfilename.exe",
"datetime" : 111111111
},
{
"filename" : "secondfilename.exe",
"datetime" : 111111144
}
]
}
PUT myindex/_doc/2
{
"SHA256" : "87ee059335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22c5a",
"files" : [
{
"filename" : "thirdfilename.exe",
"datetime" : 111111133
},
{
"filename" : "fourthfilename.exe",
"datetime" : 111111122
}
]
}
PUT myindex/_doc/3
{
"SHA256" : "565e049335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22c5a",
"files" : [
{
"filename" : "fifthfilename.exe",
"datetime" : 111111155
}
]
}
How can I get the last two files based on the datetime (ids: 1 and 3)?
I would SHA256 of the last two DATETIME ordered by DESC..
I did dozens of tests but none went well...
I don't write the code I tried because I'm really on the high seas ...
I would a result like this or similar:
{
"SHA256": [
"94ee05933....a2af6a22cc2",
"565e04933....a2af6a22c5a"
]
}
Query:
GET myindex/_search
{
"_source":"SHA256",
"sort": [
{
"files.datetime": {
"mode":"max",
"order": "desc",
"nested_path": "files"
}
}
],
"size": 2
}
Result:
"hits" : [
{
"_index" : "myindex",
"_type" : "_doc",
"_id" : "3",
"_score" : null,
"_source" : {
"SHA256" : "565e049335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22c5a"
},
"sort" : [
111111155
]
},
{
"_index" : "myindex",
"_type" : "_doc",
"_id" : "1",
"_score" : null,
"_source" : {
"SHA256" : "94ee059335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22cc2"
},
"sort" : [
111111144
]
}
]
In sort you will get the max date time value . So If you need to get file names too , you can add it in _source and use sort file to get appropriate file name.
A bit more complicated query this will give you exactly two values.
GET myindex/_search
{
"_source": "SHA256",
"query": {
"bool": {
"must": [
{
"nested": {
"path": "files",
"query": {
"match_all": {}
},
"inner_hits": {
"size":1,
"sort": [
{
"files.datetime": "desc"
}
]
}
}
}
]
}
},
"sort": [
{
"files.datetime": {
"mode": "max",
"order": "desc",
"nested_path": "files"
}
}
],
"size": 2
}
Result:
[
{
"_index" : "myindex",
"_type" : "_doc",
"_id" : "3",
"_score" : null,
"_source" : {
"SHA256" : "565e049335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22c5a"
},
"sort" : [
111111155
],
"inner_hits" : {
"files" : {
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : null,
"hits" : [
{
"_index" : "myindex",
"_type" : "_doc",
"_id" : "3",
"_nested" : {
"field" : "files",
"offset" : 0
},
"_score" : null,
"_source" : {
"filename" : "fifthfilename.exe",
"datetime" : 111111155
},
"sort" : [
111111155
]
}
]
}
}
}
},
{
"_index" : "myindex",
"_type" : "_doc",
"_id" : "1",
"_score" : null,
"_source" : {
"SHA256" : "94ee059335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22cc2"
},
"sort" : [
111111144
],
"inner_hits" : {
"files" : {
"hits" : {
"total" : {
"value" : 2,
"relation" : "eq"
},
"max_score" : null,
"hits" : [
{
"_index" : "myindex",
"_type" : "_doc",
"_id" : "1",
"_nested" : {
"field" : "files",
"offset" : 1
},
"_score" : null,
"_source" : {
"filename" : "secondfilename.exe",
"datetime" : 111111144
},
"sort" : [
111111144
]
}
]
}
}
}
}
]