When querying Elastic with:
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "data.payload.NSFILEID.num:1492141378",
"analyze_wildcard": true
}
}
]
}
}
I get docs with data.payload.NSFILEID.num = 1492141378 and close ones.
Same behaviour with:
{
"query": {
"term": {
"data.payload.NSFILEID.num": 1492141378
}
}
}
This field is indexed as number.
How could I get only exact ones?
Related
I have ES documents structured in a flat data structure using the nested data type, as they accept arbitrary JSON that we don't control, and we need to avoid a mapping explosion. Here's an example document:
{
"doc_flat":[
{
"key":"timestamp",
"type":"date",
"key_type":"timestamp.date",
"value_date":[
"2023-01-20T12:00:00Z"
]
},
{
"key":"status",
"type":"string",
"key_type":"status.string",
"value_string":[
"warning"
]
},
... more arbitrary fields ...
],
}
I've figured out how to query this nested data set to find matches on this arbitrary nested data, using a query such as:
{
"query": {
"nested": {
"path": "doc_flat",
"query": {
"bool": {
"must": [
{"term": {"doc_flat.key": "status"}},
{"term": {"doc_flat.value_string": "warning"}}
]
}
}
}
}
}
And I figured out how to find documents matching a particular date range:
{
"query": {
"nested": {
"path": "doc_flat",
"query": {
"bool": {
"must": [
{"term": {"doc_flat.key": "timestamp"}},
{
"range": {
"doc_flat.value_date": {
"gte": "2023-01-20T00:00:00Z",
"lte": "2023-01-21T00:00:00Z"
}
}
}
]
}
}
}
}
}
But I'm struggling to combine these two queries together, in order to search for documents that have a nested documents which match these two conditions:
a doc_flat.key of status, and a doc_flat.value_string of warning
a doc_flat.key of timestamp, and a doc_flat.value_date in a range
Obviously I can't just shove the second set of query filters into the same must array, because then no documents will match. I think I need to go "one level higher" in my query and wrap it in another bool query? But I can't get my head around how that would look.
You tried two nested inside Bool query?
{
"query": {
"bool": {
"filter": [
{
"nested": {
"path": "doc_flat",
"query": {
"bool": {
"must": [
{
"term": {
"doc_flat.key": "timestamp"
}
},
{
"range": {
"doc_flat.value_date": {
"gte": "2023-01-20T00:00:00Z",
"lte": "2023-01-21T00:00:00Z"
}
}
}
]
}
}
}
}
],
"must": [
{
"nested": {
"path": "doc_flat",
"query": {
"bool": {
"must": [
{
"term": {
"doc_flat.key": "status"
}
},
{
"term": {
"doc_flat.value_string": "warning"
}
}
]
}
}
}
}
]
}
}
}
I want to search objects in Elasticsearch which are combination of two index.
Is there a way to search on two index with specific condition on them?
for example:
I have an index siem-referencedata-list with lists' metadata. each documents have a subset index base on its id (siem-referencedata-list-documentsId)
how could I set a query that check siem-referencedata-list and its subsets?
I have below query for siem-referencedata-list
POST siem-referencedata-list/_search
{
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"query_string": {
"default_field": "list.name",
"query": "*list1*",
"default_operator": "OR"
}
}
]
}
},
{
"bool": {
"should": [
{
"query_string": {
"default_field": "list.type",
"query": "*Keyword*",
"default_operator": "OR"
}
}
]
}
}
]
}
}
}
and also I have below query for indexes base on above documents' id (`siem-referencedata-list-*)
POST siem-referencedata-list-*/_search
{
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"query_string": {
"query": "*30.3.30.3*"
}
}
]
}
}
]
}
}
}
How can I set a query to combine them?
search items on siem-referencedata-list and also on siem-referencedata-list-* and result items that are both results.
I set two different query and get two different arrays. How can I get intersection of these two arrays?
this is a workaround add a property to documents in this specific index "siem-referencedata-list" while indexing
and use that property to query the documents
I added specific word column- into documents of indexes "siem-referencedata-list-*" and I separated query function of "siem-referencedata-list" and its subsets..
POST siem-referencedata-list/_search
{
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"query_string": {
"query": "*list1*",
"fields": ["column-*"]
}
}
]
}
}
]
}
}
}
I'm trying to return only content that do match with a specific field value and not return the rest data of document... I mean, I try to realize a filter over data of document... but I can't yet. In sql is so easy, but in ES I still don't understand xD
So this is a image of the query and the document to explain better:
image here
Query code:
{
"query": {
"bool": {
"must": [
{
"match": {
"params.show": true
}
},
{
"nested": {
"path": "childs",
"query": {
"nested": {
"path": "childs.params",
"query": {
"bool": {
"must": {
"match": {
"childs.params.show": true
}
}
}
}
}
}
}
}
]
}
}
}
I have already various queries that collect data and show it in the Kibana dashboard.
Now I would like to get unique values from my result data. How can I write the query DSL for that.
Basically I would like to get unique value for the field contextMap.connectionid. Is there a way do achieve that using something similar to this example?
{
"query": {
"bool": {
"must": [
{
"nested": {
"path": "app",
"query": {
"bool": {
"must": [
{
"match": {
"app.key": "contextMap.connectionid"
}
}
]
}
}
}
}
]
}
}
}
You can calculate distinct count with the help of aggregation .
So, your search query is :
Search Query :
{
"query": {
"bool": {
"must": [
{
"nested": {
"path": "app",
"query": {
"bool": {
"must": [
{
"match": {
"app.key": "contextMap.connectionid"
}
}
]
}
}
}
}
]
}
},
"aggs": {
"uniqueconnectionId": {
"terms": {
"field": "contextMap.connectionid.keyword"
}
}
}
}
You can refer here for calculating distinct values of a field https://discuss.elastic.co/t/get-distinct-values-from-a-field-in-elasticsearch/99783
I have following values in my document.
"ReturnCode": [ "0", "0" ]
"ReturnCode": [ "0", "1" ]
If I search 0,0 it should return 1st document and If I search 0,1 then it should return 2nd document. I am trying with following query but it's not giving correct result. Result must match with all array elements.
GET test/_search
{
"query": {
"filtered": {
"query": {
"match_all": {}
},
"filter": {
"bool": {
"must": [
{
"terms": { "ReturnCode":[ "0","1"] }
}
]
}
}
}
}
}
Thanks
Terms query is an OR query
GET test/_search
{
"query": {
"filtered": {
"query": {
"match_all": {}
},
"filter": {
"bool": {
"must": [
{
"term": { "ReturnCode":"0"}
},
{
"term": { "ReturnCode":"1"}
}
]
}
}
}
}
}
You need to create individual term queries inside the must clause as above