I am trying to combine match query and range query but its not working properly.
GET file*/_search
{
"query":{
"bool":{
"should":[
{
"match":{
"message":"timeout"
}
},
{
"match":{
"message":"java.lang.IllegalStateException"
}
},
{
"range":{
"#timestamp":{
"gt":"now-1h",
"lte":"now",
"time_zone":"+01:00"
}
}
}
]
}
}
}
Date filter is not working properly here ,am i doing something wrong here?
Thanks
Replace }, with ], and add filter to query. For example:
{
"query": {
"bool": {
"should": [
{ "match":{ "message":"timeout" }},
{ "match":{ "message":"java.lang.IllegalStateException"}}
],
"filter": [
{ "range": { "#timestamp": { "gt": "now-15m", "lte": "now", "time_zone":"+01:00" }}}
]
}
}
}
Related
Hi Bellow Search provides me Log where it has both "value": "HB" and "value": "1234567" as, I am using Term, however, What I am looking for this if this match
("value": "HB" OR "value": "TR" ) AND "value": "1234567"
but not understanding how to do in below,
Can anyone please help me
GET _search
{ "query": { "bool": { "must": [ { "match": {"log.file.path":"mylog.log" } }
{
"term": {
"GPS-LOG.COMMAND": {
"value": "HB"
}
}
},
{
"term": {
"GPS-LOG.IMEI": {
"value": "1234567"
}
}
}
], "filter": {
"range": {
"#timestamp": {
"gte": "now-10m"
}
} }
} }
At first glace, it seems like this should have a simple solution. However, since you are using the term query, you can only search one value at a time. I don't know your mapping but if you are using a text field you shouldn't be using term query.
However, to solve this using the term query, you have to create the OR operator using the minimum_should_match combined with should.
See the following code:
GET _search
{
"query":{
"bool":{
"must":[
{
"match":{
"log.file.path":"mylog.log"
}
},
{
"term":{
"GPS-LOG.IMEI":{
"value":"1234567"
}
}
},
{
"bool":{
"should":[
{
"term":{
"GPS-LOG.COMMAND":{
"value":"HB"
}
}
},
{
"term":{
"GPS-LOG.COMMAND":{
"value":"TR"
}
}
}
],
"minimum_should_match":1
}
}
],
"filter":{
"range":{
"#timestamp":{
"gte":"now-10m"
}
}
}
}
}
}
I have some questions about nested query.
Here is my example. The mapping is {"user":"nested"}.The exist data just like this:
{
"user": [
{
"first":"John",
"last":"Smith"
},
{
"first":"Alice",
"last":"White"
}
]
}
How do I create a query to find this document that meets all the conditions:
the first object of user that its "first" is "John" and "last" is "Smith";
the second object of user that its "first" is "Alice" and "last" is "White"
Try with below query :
{
"query":{
"bool":{
"filter":[
{
"bool":{
"must":[
{
"bool":{
"must":[
{
"nested":{
"query":{
"bool":{
"must":[
{
"match_phrase":{
"user.first":{
"query":"John"
}
}
},
{
"match_phrase":{
"user.last":{
"query":"Smith"
}
}
}
]
}
},
"path":"user"
}
},
{
"nested":{
"query":{
"bool":{
"must":[
{
"match_phrase":{
"user.first":{
"query":"Alice"
}
}
},
{
"match_phrase":{
"user.last":{
"query":"White"
}
}
}
]
}
},
"path":"user"
}
}
]
}
}
]
}
}
]
}
}
}
Below query is what you are looking for. You simply need to have two nested queries, one for each conditions you've mentioned, combined in a bool using must clause.
Note that I'm assuming that the fields user.first and user.last are of text type having standard analyzer
POST <your_index_name>
{
"query":{
"bool":{
"must":[
{
"nested":{
"path":"user",
"query":{
"bool":{
"must":[
{
"match":{
"user.first":"john"
}
},
{
"match":{
"user.last":"smith"
}
}
]
}
}
}
},
{
"nested":{
"path":"user",
"query":{
"bool":{
"must":[
{
"match":{
"user.first":"alice"
}
},
{
"match":{
"user.last":"white"
}
}
]
}
}
}
}
]
}
}
}
Hope this helps!
The answer is:
{
"query": {
"bool": {
"must": [
{
"has_parent": {
"parent_type": "doc",
"query": {
"bool": {
"must": [
{
"terms": {
"id": [
713
]
}
},
{
"range": {
"created": {
"lte": "now/d"
}
}
},
{
"range": {
"expires": {
"gte": "now/d"
}
}
}
]
}
}
}
},
{
"nested": {
"path": "prices",
"query": {
"bool": {
"filter": [
{
"term": {
"prices.id_prcknd": 167
}
}
]
}
}
}
},
{
"term": {
"doc_type": "item"
}
},
{
"bool": {
"should": [
{
"term": {
"have_prices": true
}
},
{
"term": {
"is_folder": true
}
}
]
}
}
],
"must_not": {
"exists": {
"field": "folder"
}
}
}
},
"sort": [
{
"is_folder": {
"order": "desc"
}
},
{
"title_low.order": {
"order": "asc"
}
}
],
"size": 1000
}
I am trying to make an elasticsearch query where, I need to search for a time frame in the elasticsearch table. I have records which has startime and endtime. And from UI I am giving a starttime and endtime which is time windows for which I need to search files for. Assuming the time window of starttime and endtime in the records is smaller than the time window entered by user, I have created the following query:
{
"_source":["filename","starttime","endtime"],
"sort":[{
"starttime":{"order":"asc"}
}],
"query":{
"bool":{
"should":{
"bool":{
"must":[
"range":{
"starttime":{
"lte":1489602610000
}
},
"range":{
"endtime":{
"gte":1489602610000,
}
}
]
}
},
"should":{
"bool":{
"must":[
"range":{
"starttime":{
"gte":1489602610000
}
},
"range":{
"endtime":{
"lte":1489689000000
}
}
]
}
},
"should":{
"bool":{
"must":[
"range":{
"starttime":{
"lte":1489689000000
}
},
"range":{
"endtime":{
"gte":1489689000000
}
}
]
}
}
}
}
}
I am getting error
"Unexpected character (':' (code 58)): was expecting comma to separate
Array entries\n at [Source:
org.elasticsearch.transport.netty4.ByteBufStreamInput#29263f09; line:
11, column: 33]"
There are several issues with your query:
one dangling comma
more than one bool/should clauses
range queries not properly wrapped inside curly braces
You can find the correct query below:
{
"_source": [
"filename",
"starttime",
"endtime"
],
"sort": [
{
"starttime": {
"order": "asc"
}
}
],
"query": {
"bool": {
"should": [
{
"bool": {
"must": [
{
"range": {
"starttime": {
"lte": 1489602610000
}
}
},
{
"range": {
"endtime": {
"gte": 1489602610000
}
}
}
]
}
},
{
"bool": {
"must": [
{
"range": {
"starttime": {
"gte": 1489602610000
}
}
},
{
"range": {
"endtime": {
"lte": 1489689000000
}
}
}
]
}
},
{
"bool": {
"must": [
{
"range": {
"starttime": {
"lte": 1489689000000
}
}
},
{
"range": {
"endtime": {
"gte": 1489689000000
}
}
}
]
}
}
]
}
}
}
I want to do multiple text search in same field
for example in sub_cat_seo_url field i want to get 'english-news' and 'business-news' filter by language and region
when i tried like below code it is not working
{
"query":{
"filtered":{
"query":{
"query_string":{
"query":[
"english-news",
"business-news"
],
"fields":[
"sub_cat_seo_url"
]
}
},
"filter":{
"bool":{
"must":[
{
"term":{
"lang":"en"
}
},
{
"term":{
"region":"1"
}
}
]
}
}
}
}
}
For single text search it is working fine
{
"query":{
"filtered":{
"query":{
"query_string":{
"query":"english-news",
"fields":[
"sub_cat_seo_url"
]
}
},
"filter":{
"bool":{
"must":[
{
"term":{
"lang":"en"
}
},
{
"term":{
"region":"1"
}
}
]
}
}
}
}
}
Please help what have to change in my code, to do multi text search in same field (or operation)
Thanks
Thanigaivelan
Try out this
{
"query": {
"filtered": {
"query": {
"query_string": {
"query": "\"english-news\" AND \"business-news\"",
"fields": [
"sub_cat_seo_url"
]
}
},
"filter": {
"bool": {
"must": [
{
"term": {
"lang": "en"
}
},
{
"term": {
"region": "1"
}
}
]
}
}
}
}
}
I'm building up the following search in code, the idea being that it filters down the set of matches then queries this so I can add score based on certain fields. For some reason the filter part works but whatever I put in the query (i.e. in the below I have no index sdfsdfsdf) it still returns anything matching the filter.
Is the syntax wrong?
{
"query":{
"filtered":{
"query":{
"bool":{
"must":{
"match":{
"sdfsdfsdf":{
"query":"4",
"boost":2.0
}
}
}
},
"filter":{
"bool":{
"must":[
{
"terms":{
"_id":[
"55f93ead5df34f1900abc20b",
"55f8ab0226ec4bb216d7c938",
"55dc4e949dcf833308c63d6b"
]
}
},
{
"range":{
"published_date":{
"lte":"now"
}
}
}
],
"must_not":{
"terms":{
"_id":[
"55f0a799acccc28204a5058c"
]
}
}
}
}
}
}
}
}
Your filter is not at the right level. It should not be inside query but at the same level as query like this:
{
"query": {
"filtered": {
"query": { <--- query and filter at the same level
"bool": {
"must": {
"match": {
"sdfsdfsdf": {
"query": "4",
"boost": 2
}
}
}
}
},
"filter": { <--- query and filter at the same level
"bool": {
"must": [
{
"terms": {
"_id": [
"55f93ead5df34f1900abc20b",
"55f8ab0226ec4bb216d7c938",
"55dc4e949dcf833308c63d6b"
]
}
},
{
"range": {
"published_date": {
"lte": "now"
}
}
}
],
"must_not": {
"terms": {
"_id": [
"55f0a799acccc28204a5058c"
]
}
}
}
}
}
}
}
You need to replace sdfsdfsdf with your existing field name in your type, e.g. title, otherwise I think it will fallback to match_all query.
"match":{
"title":{
"query": "some text here",
"boost":2.0
}
}