How do I write an OR query in Kibana (ElasticSearch)? - elasticsearch

Using ElasicSearch's JSON Query DSL through Kibana, how do I retrieve all documents which have:
messageTemplate equals My message
or
level equals Error

You have to use a Bool query for that :
... If the bool query is a filter context or has neither must or filter then at least one of the should queries must match a document for it to match the bool query
POST <your_index>/_search
{
"query": {
"bool": {
"should": [
{ "match_phrase" : { "messageTemplate" : "My message" } },
{ "term" : { "level" : "Error" } }
]
}
}
}

Alternatively, you could type in the Kibana search bar:
messageTemplate:"My message" || level:"Error"
or
messageTemplate:"My message" OR level:"Error"

Related

How to apply filter on filterered data in elastic search using API

How could I be able to add multiple filters on the index
I want to filter results by first_name and then by category using elastic search client
In kibana dashboard
I want to achieve the same functionality using the elastic search client and python
but I am able to filter the data only once
Sample code
#app.route('/get-data')
#login_required
def get_permission():
uri = f'https://localhost:9200/'
client = Elasticsearch(hosts=uri, basic_auth=(session['username'], session['password']), ca_certs=session['cert'], verify_certs=False)
body = {
"from" : 0,
"size" : 20,
"query" : {
"bool" : {
"must" : [],
"filter" : [],
"must_not":[],
"should" :[],
}
}
}
index_data = client.search(index=index, body=body)
return render_template('showdata.html', index_data=index_data)
I have looked into the msearch but it's not working
msearch method on devtool
Result are not correct
Is there any way to filter or reapply the search method on filtered data without messing up the old query
filter is an array in Elasticsearch DSL, and you should be able to provide multiple filters in that array, I can't help with python code, but in JSON filter array looks like
{
"query": {
"bool": {
"filter": [
{
"prefix": {
"question_body_markdown": "i"
}
},
{
"term": {
"customer.first_name": "foo"
}
}
]
}
}
}

Search for empty/present arrays in elasticsearch

I'm currently using the elasticsearch 6.5.4 and I'm trying to query for all docs in an index with an empty array on a specific field. I found the the elasticsearch has a exists dsl who is supposed to cover the empty array case.
The problem is: whem I query for a must exists no doc is returned and when I query for must not exists all documents are returned.
Since I can't share the actual mapping for legal reasons, this is the closest I can give you:
{
"foo_production" : {
"mappings" : {
"foo" : {
"properties" : {
"bar" : {
"type" : "text",
"index" : false
}
}
}
}
}
}
And the query I am performing is:
GET foo_production/_search
{
"query": {
"bool": {
"must": {
"exists": {
"field": "bar"
}
}
}
}
}
Can you guys tell me where the problem is?
Note: Upgrading the elasticsearch version is not a viable solution
Enable indexing for the field bar by setting "index" : true
The index option controls whether field values are indexed. It accepts true or false and defaults to true. Fields that are not indexed are not queryable.
Source : https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-index.html

Elasticsearch - query building - is this the correct way of doing it?

I have a document which looks like this:
{
"foo": {
"orgnr": "1"
},
"bar": {
"orgnr" : "2"
},
"created": "2015-02-12",
...
}
I have an API where a user can query for:
orgnr (required)
role (optional) - ANY by default ANY means must match at least one of bar.orgnr or foo.orgnr, but could also be role:BAR, and then it must match bar.orgnr:
created (optional)
query (optional)
Orgnr must match foo.orgnr OR bar.orgnr, and can then have a lot of other field and text queries. I match this doing a query string query. So for a request where orgnr is 1, the following query string would be generated:
(foo.orgnr:1 OR bar.orgnr:1) AND (rest of query)
Where rest of query can be for example
created:[2015-01-01 TO *]
created:[2015-01-01 TO *] AND *query*
But i'm not sure this is actually the correct way or doing this. Reading https://www.elastic.co/guide/en/elasticsearch/guide/current/_queries_and_filters.html makes me insecure.
I could also use a boolean match, with must for the orgnr.
With role:BAR the following query would be generated:
(bar.orgnr:1) AND (rest of query)
The most important here is that orgnr is actually matched towards foo OR bar orgnr.
Or should I use a filter for this instead?
A bool query in filter context is a fine way of doing it. The Should requires at least one clause to match.
POST _search
{
"query": {
"constant_score": {
"filter": {
"bool": {
"should": [
{
"term": {
"foo.orgnr": "1"
}
},
{
"term": {
"bar.orgnr": "1"
}
}
]
}
}
}
}
}

Combination of and or elasticsearch

How to write query for following condition in elasticsearch
Select * from table1 where (cnd1 or cond2) and (cnd3)
My cond2 value is from nested object . My json object is below
details={ "name"="name1",
"address":"{
"city":"city1"
}"
}
I need to take city from above object
details.address.city
Is above syntax is right , if not how to get value of second object city.
{
"bool" : {
"must" : cond3,
"should" : [
cond1,
cond2
],
"minimum_should_match" : 1
}
}
go through this link for more info https://www.elastic.co/guide/en/elasticsearch/reference/2.3/query-dsl-bool-query.html
You can easily create a conditional queries with Elasticsearch. But there is some weird situation of your data section.
details={ "name"="name1",
"address":"{
"city":"city1"
}"
}
Elasticsearh save your data as a json object, but you should give your data as a json. In this section, there is an object, you try to sent. Let us examine:
There is a name attribute of detail object, it is a string. And also there is a address attribute, and it is a string too. It should be an object which has to include a city attribute if you want to reach this object via details.address.city. Now we try to fix:
{
"id":...,
...
"details": {
"name": "name1",
"address": {
"city": "city1"
}
}
}
In this case, I remove double quotation marks of details object. Now, you can reach city attribute of json as a json object. Now, we create a query to reach cities:
{
"query": {
"bool": {
"must": {
"term": {
"your-json-attribute": "???"
}
},
"should": [
{
"term": {
"your-json-attribute": "???"
}
},
{
"term": {
"your-json-attribute": "???"
}
}
]
}
}
}
I use term query but there is lots of another query types. You can check them on documentation. But for And and Or, you can use bool query. Check https://www.elastic.co/guide/en/elasticsearch/reference/2.0/query-dsl-bool-query.html

Is there anyway to create alias on query search?

I want to create an alias on top of this. Index - test, Type - type
POST /test/type/_search
{
"query": {
"match": {
"brand_name": "xyz"
}
}
}
But I don't see anyway of doing it,since Elasticsearch aliases can only be created on filters and when I try with term filter,I don't get the results which I want.Any trick to achieve this ?
You can use a query filter to use any query as a filter:
"filter" : {
"query" : {
"match" : {
"brand_name" : "xyz"
}
}
}

Resources