why minimum_should_match does not return multiple match? - elasticsearch

i am refering to this question
How to use "OR" in Dev Tool Query
While trying to extend this to 3 Match with a minimum should match number to 2 it does not return any when i set it like this ""minimum_should_match":1" its works, but only gives 1 match, but when i do like this ""minimum_should_match":2" then it does not return anything, where as i know the query should found minimum 2 match which are in the log
so what i am doing wrong ?
GET _search
{
"query":{
"bool":{
"must":[
{
"match":{
"log.file.path":"mylog.log"
}
},
{
"term":{
"GPS-LOG.IMEI":{
"value":"1234567"
}
}
},
{
"bool":{
"should":[
{
"term":{
"GPS-LOG.COMMAND":{
"value":"HB"
}
}
},
term":{
"GPS-LOG.COMMAND":{
"value":"DB"
}
}
},
{
"term":{
"GPS-LOG.COMMAND":{
"value":"TR"
}
}
}
],
"minimum_should_match":1
}
}
],
"filter":{
"range":{
"#timestamp":{
"gte":"now-10m"
}
}
}
}
}
}

Related

Elasticsearch query returning far less number of records

I am running following elasticsearch query from groovy script. There are thousands of records which meet this criteria, but I get only 10 records in return.
{
"query":{
"bool":{
"must":[
{
"match_all":{
}
},
{
"range":{
"#Timestamp":{
"gte":1417511269270,
"lte":1575277669270,
"format":"epoch_millis"
}
}
},
{
"match_phrase":{
"field1.keyword":{
"query":"value1"
}
}
},
{
"match_phrase":{
"field2.keyword":{
"query":"value2"
}
}
},
{
"range":{
"#Timestamp":{
"gte":"2001-03-01",
"lt":"2019-10-30"
}
}
}
],
"filter":[
],
"should":[
],
"must_not":[
]
}
}
}
What am I missing in my query?

You are missing a size parameter, which means it defaults to 10 results.
e.g. add this to your query object:
"size": 100

Nested bool query with multiple must and should

Look at my use case below
Two nested fields
base1.point1
base1.point2
base1.point3
base1.point4
and
base2.point1
base2.point2
base2.point3
base2.point4
search condition
(
(base1.point1 AND base1.point2) OR (base1.point2 AND base1.point3)
)
AND
(
(base2.point1 AND base2.point2) OR (base2.point2 AND base2.point3)
)
Please help for writing above in a single query.

Note that I'm assuming that when you meant nested you are actually talking about Nested Datatype and not plain Object Datatype
Also looking at your question, you are only concerned if the nested fields exists or not, regardless of their values. For such use cases you would need to make use of Exists Query.
Below is how my Nested Query would be:
POST <you_index_name>/_search
{
"query":{
"bool":{
"must":[
{
"bool":{
"should":[
{
"bool":{
"must":[
{
"nested":{
"path":"base1",
"query":{
"exists":{
"field":"base1.point1"
}
}
}
},
{
"nested":{
"path":"base1",
"query":{
"exists":{
"field":"base1.point2"
}
}
}
}
]
}
},
{
"bool":{
"must":[
{
"nested":{
"path":"base1",
"query":{
"exists":{
"field":"base1.point2"
}
}
}
},
{
"nested":{
"path":"base1",
"query":{
"exists":{
"field":"base1.point3"
}
}
}
}
]
}
}
]
}
},
{
"bool":{
"should":[
{
"bool":{
"must":[
{
"nested":{
"path":"base2",
"query":{
"exists":{
"field":"base2.point1"
}
}
}
},
{
"nested":{
"path":"base1",
"query":{
"exists":{
"field":"base2.point2"
}
}
}
}
]
}
},
{
"bool":{
"must":[
{
"nested":{
"path":"base2",
"query":{
"exists":{
"field":"base2.point2"
}
}
}
},
{
"nested":{
"path":"base2",
"query":{
"exists":{
"field":"base2.point3"
}
}
}
}
]
}
}
]
}
}
]
}
}
}
Hope this helps!

Filtering ElasticSearch query where date value is lte a given value or missing

I need to filter an ES query where the value of a date field is LTE a given value or the field is missing altogether. Here's my query at this point:
{
"from":0,
"size":50,
"query":{
"bool":{
"filter":[
{
"term":{
"corpusid.string.as_is":"42:6:4"
}
},
{
"nested":{
"path":"category.object",
"query":{
"bool":{
"must":[
{
"bool":{
"should":[
{
"range":{
"category.object.startdate":{
"lte":"2021-03-09T19:32:11.316Z"
}
}
},
{
"must_not":[
{
"exists":{
"field":"category.object.startdate"
}
}
]
}
]
}
}
]
}
}
}
}
]
}
}
}
When I submit that query, I get the error "[must_not] query malformed, no start_object after query name". We're running ElasticSearch version 5.3.1 in case that matters.

I refactored the query a bit. Removed a must, added a bool for the must_not.
{
"from":0,
"size":50,
"query":{
"bool":{
"filter":[
{
"term":{
"corpusid.string.as_is":"42:6:4"
}
},
{
"nested":{
"path":"category.object",
"query":{
"bool":{
"should": [
{
"range":{
"category.object.startdate":{
"lte":"2021-03-09T19:32:11.316Z"
}
}
},
{
"bool": {
"must_not": {
"exists": {
"field": "category.object.startdate"
}
}
}
}
]
}
}
}
}
]
}
}
}

How to sort mutliple array value search in elasticsearch

I have an array of values that I want to search and display its contents. What is the best method to sort the array and show the result in the array's current format.
Example my array value
$myarray=array('84790','19162002','74739','86439','88820','19560020','19634461','19624154','19624091','19577228');
{
"query":{
"filtered":{
"filter":{
"bool":{
"should":[
{
"term":{
"podcast_id":"84790"
}
},
{
"term":{
"podcast_id":"19162002"
}
},
{
"term":{
"podcast_id":"74739"
}
},
{
"term":{
"podcast_id":"86439"
}
},
{
"term":{
"podcast_id":"88820"
}
},
{
"term":{
"podcast_id":"19560020"
}
},
{
"term":{
"podcast_id":"19634461"
}
},
{
"term":{
"podcast_id":"19624154"
}
},
{
"term":{
"podcast_id":"19624091"
}
},
{
"term":{
"podcast_id":"19577228"
}
}
]
}
}
}
}
}
I am using php, curl and post method.
Thanks

You can use Terms filter insted.
somthing like this :
{
"query": {
"filtered": {
"filter": {
"terms": {
"podcast_id": [
"84790",
"19162002",
.....
]
}
}
}
}
}

Which DSL is correct for performing a pre-filtered query?

I've looked back at some queries I have saved, and it appears I've managed to achieve essentially the same query in three different ways. They all return the same data, but which one is 'correct'? I.e., which one contains no superfluous code and is most performant?
Option 1
{
"query":{
"bool":{
"must":[
{
"match":{
"event":"eventname"
}
},
{
"range":{
"#timestamp":{
"gt":"now-70s"
}
}
}
]
}
},
"aggs":{
"myterms":{
"terms":{
"field":"fieldname"
}
}
}
}
Option 2
{
"query":{
"filtered":{
"filter":{
"bool":{
"must":[
{
"match":{
"event":"eventname"
}
},
{
"range":{
"#timestamp":{
"gt":"now-70s"
}
}
}
]
}
}
}
},
"aggs":{
"myterms":{
"terms":{
"field":"fieldname"
}
}
}
}
Option 3
{
"query":{
"filtered":{
"query":{
"bool":{
"must":[
{
"match":{
"event":"eventname"
}
},
{
"range":{
"#timestamp":{
"gt":"now-70s"
}
}
}
]
}
}
}
},
"aggs":{
"myterms":{
"terms":{
"field":"fieldname"
}
}
}
}
If I were to guess, I'd go for Option 2, as the others appear that they might be running match as query. But the documentation is pretty confusing regarding the correct form that DSL queries should take.

Based on your comment, I'd go for option 2 but with a simple term filter for starters instead of match which isn't allowed in filters.
{
"query": {
"filtered": {
"filter": {
"bool": {
"must": [
{
"term": {
"event": "eventname"
}
},
{
"range": {
"#timestamp": {
"gt": "now-70s"
}
}
}
]
}
}
}
},
"aggs": {
"myterms": {
"terms": {
"field": "event"
}
}
}
}

Resources