I am trying to achieve something like this:
GET /services/_search
{
"size": 10,
"_source": [
"doc.time",
"doc.timezone"
],
"query": {
"bool": {
"must": [
{
"range": {
"doc.time": {
"gte": "now-7d/d",
"time_zone": "US/Pacific"
}
}
}
]
}
}
}
This query works.
Each doc has its own time zone which is specified inside Elastic Search document.
I need to use doc.timezone instead of "US/Pacific".
Is that possible to achieve in Elastic Search?
Related
i have to query elastic search for some data and all my filters are drop down values as in they are exact matches only so i thought of using only the filter query and not any must or match query, so is there any problem with this kind of approach.
in the below example i am trying to get last 15 min data where L1 is any 1 of ("XYZ","CFG") and L2 is any 1 of ( "ABC","CDE")
My query looks like below :
{
"size": 20,
"sort": [
{
"eventTs": "desc"
}
],
"query": {
"bool": {
"filter": [
{
"range": {
"eventTs": {
"gte": "now-15m",
"lte": "now",
"format": "epoch_millis",
"boost": 1
}
}
},
{
"terms": {
"l1": [
"XYZ","CFG"
]
}
},
{
"terms": {
"l2":[
"ABC","CDE"
]
}
}
]
}
}
}
If you don't need _score which is used to show the relevant documents according to their score, you can use filter which is executed in much faster way(since calculation of score is disabled), and cached as well.
Must read query and filter context for in-depth understanding of these concepts.
I have been trying to use a must query with bool but I am failing to get the results.
In pseudo-SQL:
SELECT * FROM info WHERE (ulevel= '1.3.10' or ulevel= '1.3.6') AND (#timestamp between '2017-06-05T07:00:00.000Z' and '2017-06-05T07:00:00.000Z')
Here is what I have:
"query": {
"bool": {
"must": [
{
"query_string": {
"default_field": "_all",
"query": "*"
},
"range": {
"#timestamp": {
"from": "2017-06-05T07:00:00.000Z",
"to": "2017-06-05T07:20:00.000Z"
}
},
"bool": {
"should": [
{"term": { "ulevel": "1.3.10"}},
{"term": { "ulevel": "1.3.6"}}
]
}
}
]
}
}
Does anyone have a solution?
Thank you so much.
You can use terms query for the first part and the range query for the second part
GET _search
{
"query": {
"bool": {
"must": [
{
"terms": {
"ulevel": [
"1.3.10",
"1.3.6"
]
}
},
{
"range": {
"#timestamp": {
"gte": "2017-06-05T07:00:00.000Z",
"lte": "2017-06-05T07:20:00.000Z"
}
}
}
]
}
},
"from": 0,
"size": 20
}
Some Notes :
Filters documents that have fields that match any of the provided terms (not analyzed)
Also you can use some date spesific formulation with rage filter. Please check the range query page https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-range-query.html#ranges-on-dates more information.
Update:
Added from and size for comment question.
I have a query to search for a provider_id from the Elastic Search Cluster. I am using the below query to get results for a single provider_id but need help in figuring out how can I pass a list of providers.
{
"query": {
"bool": {
"must": [{
"match": {
"message.provider_id": {
"query": 943523,
"type": "phrase"
}
}
}]
}
}
}
Suppose I want to search for provider_ids = [913523, 923523, 923523, 933523, 953523] then how should I modify the query?
You could index the provider_id as not_analyzed and then use a terms query:
POST /test_index/_search
{
"query": {
"terms": {
"message.provider_id": [
"913523", "923523", "923523", "933523", "953523"
]
}
}
}
or as a bool query with a filter if you are not going to need the score:
POST /test_index/_search
{
"query": {
"bool": {
"filter": [
{
"terms": {
"message.provider_id": [
"913523", "923523", "923523", "933523", "953523"
]
}
}
]
}
}
}
I have worked with Elasticsearch and have done some research on the Internet how to query data with a certain text and how to query data within a range of timestamp, using Elasticsearch PHP Client API. Now I would like to combine these two queries in one. Lets say search for a certain text and within a range of a certain timestamp. Can someone please tell me how to do that using Elasticsearch PHP Client API? Thanks in advanced! I have searched on the Internet but still cannot combine these two queries in one :-(
Here is an example of a bool query, the logic here is that the record must fall within a date range and should also contain the text in the textfield field. You could have both query conditions within the must clause.
{
"from": 0,
"size": 20,
"query": {
"bool": {
"must": [
{
"range": {
"datefield": {
"gte": "from",
"lte": "to"
}
}
}
],
"should": [
{
"match": {
"textfield": {
"query": "Name",
"boost": 10
}
}
}
]
}
}
}
UPDATE - OR MUST HAVE BOTH
{
"from": 0,
"size": 20,
"query": {
"bool": {
"must": [
{
"range": {
"datefield": {
"gte": "from",
"lte": "to"
}
}
},
{
"match": {
"textfield": {
"query": "Name",
"boost": 10
}
}
}
]
}
}
}
In my ES index, documents have two fields, score_min and score_max, which I am trying to boost in a bool query.
I want to boost all documents for which score_min <= expected_score <= score_max is true.
I know that I can put two range queries in the must clause, but that would mean that other documents would get overlooked.
Is there a way to do something like this
..
..
"should": [
...
...
"some_query": {
"and": [
"range": {
"score_min": {
"lte": expected_score
},
},
"range": {
"score_max": {
"gte": expected_score
}
}
"boost": 2
]
}
]
You can do this using the function_score query. One of the added benefits is that your range query can be written as a filter instead, and so take advantage of filter caching:
curl -XGET "http://localhost:9200/_search" -d'
{
"query": {
"function_score": {
"query": {
"match": { "some_field": "foo bar" }
},
"functions": [
{
"boost_factor": 1.2
"filter": {
"bool": {
"must": [
{ "range": { "score_min": { "lte": 10 }}},
{ "range": { "score_max": { "gte": 10 }}}
]
}
}
}
]
}
}
}'
All results matching the query are returned, but any results which additionally match the filter will have their score multiplied by boost_factor.