Develop Reference

how to write Elastic search query for exact match for a string

I am using kibanna
I am trying to put filter on a field container_name = "armenian"
but I have other container names with following names
armenian_alpha
armenian_beta
armenian_gama
armenian1
armenian2
after putting the filter , search query in kibanna becomes
{
"query": {
"match": {
"container_name": {
"query": "armenian",
"type": "phrase"
}
}
}
}
But the output searches logs for all containers , as I can see the Elastic search query is using a pattern matching
How can I put an exact match with the string provided and avoid the rest ?

You can try out with term query. Do note that it is case sensitive by default unless you specify with case_insensitive equals to true. Also, if your container_name is a text field type instead of keyword field type, do add the .keyword after the field name. Otherwise, ignore the .keyword.
Example:
GET /_search
{
"query": {
"term": {
"container_name.keyword": {
"value": "armenian"
}
}
}
}
Link here: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-term-query.html

I would recommend using a direct wildcard in query or wildcard as follow
GET /_search
{
"query": {
"match": {
"container_name": {
"query": "*armenian",
"type": "phrase"
}
}
}
}
GET /_search
{
"query": {
"wildcard": {
"container_name": {
"value": "*armenian"
}
}
}
}
With *armenian you are ensuring that armenian comes at the end.

Elasticsearch - how to search for part of word across all indices and documents

I want to make a search that works like this:
when I enter "Desc" for example, I want to get everything that contains "Desc", and not to be case sensitive. I don't want to include index name, or document, I want it to search across everything.
I tried this but it doesn't work very well.
GET /_search
{
"query":
{ "query_string":
{
"query": "Test*"
}
}
}

From the latest docs any of these techniques will get you the job done
GET /_search
{
"query": {
"query_string" : {
"query" : "*desc*"
}
}
}
**OR**
GET /_all/_search
{
"query": {
"query_string" : {
"query" : "*desc*"
}
}
}
**OR**
GET /*/_search
{
"query": {
"query_string" : {
"query" : "*desc*"
}
}
}

Try using wild card search. Make sure the field you are searching is text field.
{
"query": {
"query_string" : {
"query" : "*desc*"
}
}
}
If you want to use all index you can query like this
curl -XGET 'http://localhost:9200/index1,index2/_search
PS: Performance wise this is a bad idea since this searches all fields in index. Alternatively you can use use default_field in the query string and specidy the field.

elasticsearch added wildcard fails query

Works as expected:
{
"query": {
"query_string": {
"query": "Hofstetten-Grünau"
}
}
}
an added wildcard at the end delivers no results and I wonder why:
{
"query": {
"query_string": {
"query": "Hofstetten-Grünau*"
}
}
}
how to fix it?
elasticsearch v5.3.2
This delivers results:
{
"query": {
"query_string": {
"query": "Hofstetten*"
}
}
}
I use a single search field. The end user can freely use wildcards as they see fit. A user might type in:
hofstetten grünau
+ort:hofstetten-grünau
+ort:Hofstetten-G*
so using a match query wont work out for me.
I am using Jest (Java Annotations) as Mapping, and using "default" for this field. My index mapping declares nothing special for the field:
{
"mappings": {
"_default_": {
"date_detection": false,
"dynamic_templates": [{
}]
}
}
}

Adding the wildcard "*" at the end of your query string is causing the query analyzer to interpret the dash between "Hofstetten" and "Grünau" as a logical NOT operator. So you're actually searching for documents that contain Hofstetten but do NOT contain Grünau.
You can verify this by doing the following variations of your search:
"query": "Hofstetten-XXXXX" #should not return results
"query": "Hofstetten-XXXXX*" #should return results
To fix this I would recommend using a match query instead of a query_string query:
{"query": {"match": { "city": "Hofstetten-Grünau" }}}'
(with whatever your appropriate field name is in place of city).

Elasticsearch query not working on fields with capital letters

I have been using/mapping the string field to being index: "not_analyzed" but still not able to get search results for capital letter strings ?? I searched the whole internet inside out , but there is no simple workaround.
Sample data:
{
"job_status":"Finished",
"build_number":"94",
"build_duration":778,
"#timestamp":"1455317284293",
"build_result":"UNSTABLE",
"slave_node":"tiny-cmsbuild03",
"job_name":"DMWM-WMCore-RunTests-Oracle"
},
{
"job_status":"Finished",
"build_number":"96",
"build_duration":859,
"#timestamp":"1455662929042",
"build_result":"UNSTABLE",
"slave_node":"tiny-cmsbuild02",
"job_name":"DMWM-WMCore-RunTests-Oracle"
},
{
"job_status":"Finished",
"build_number":"89",
"build_duration":385,
"#timestamp":"1454453359226",
"build_result":"UNSTABLE",
"slave_node":"tiny-cmsbuild06",
"job_name":"DMWM-WMCore-RunTests-Oracle"
}
kibana3 is making this query:
"query": {
"filtered": {
"query": {
"bool": {
"should": [
{
"query_string": {
"query": "job_name:D*"
}
}
]
}
},
"filter": {
"bool": {
"must": [
{
"match_all": {}
}
]
}
}
}
}
but get no results.

The reason you don't get any results is because the query_string query has a parameter called lowercase_expanded_terms which is true by default.
What it does is to lowercase the query string you're passing to it, so that job_name:D* becomes job_name:d*, hence why nothing is matching.
However, if you query like this, i.e. by setting lowercase_expanded_terms to false, it will work:
curl -XGET localhost:9200/your_index/_search?lowercase_expanded_terms=false&q=job_name:D*

what's difference between simple_query_string and query_string?

I had a nested field source in my index seems like this:
"source": [
{
"name": "source_c","type": "type_a"
},
{
"name": "source_c","type": "type_b"
}
]
I used query_string query and simple_query_string query to query type_a and got two different result.
query_string
{
"size" : 3,
"query" : {
"bool" : {
"filter" : {
"query_string" : {
"query" : "source:\"source.type:=\"type_a\"\""
}
}
}
}
}
I got 163459 hits in 294088 docs.
simple_query_string
{
"size": 3,
"query": {
"bool": {
"filter": {
"simple_query_string": {
"query": "source:\"source.type:=\"type_a\"\""
}
}
}
}
}
I got 163505 hits in 294088 docs.
I only made three different types type_a,type_b,type_c randomly. So I had to say 163459 and 163505 were very little difference in 294088 docs.
I noly got one info in Elasticsearch Reference [2.1]
Unlike the regular query_string query, the simple_query_string query will never throw an exception, and discards invalid parts of the query.
I don't think it's the reason to make the difference.
I want to know what make the little different results between query_string and simple_query_string?

As far as I know, nested query syntax is not supported for either query_string or simple_query_string. It is an open issue, and this is the PR regarding that issue.
Then how are you getting the result? Here Explain API will help you understand what is going on. This query
{
"size": 3,
"query": {
"bool": {
"filter": {
"simple_query_string": {
"query": "source:\"source.type:=\"type_a\"\""
}
}
}
}
}
have a look at the output, you will see
"description": "ConstantScore(QueryWrapperFilter(_all:source _all:source.type _all:type_a)),
so what is happening here is that ES looking for term source , source.type or type_a, it finds type_a and returns the result.
You will also find something similar with query_string using explain api
Also query_string and simple_query_string have different syntax, for e.g field_name:search_text is not supported in simple_query_string.
Correct way to query nested objects is using nested query
EDIT
This query will give you desired results.
{
"query": {
"nested": {
"path": "source",
"query": {
"term": {
"source.type": {
"value": "type_a"
}
}
}
}
}
}
Hope this helps!!

Acording to the documentation simple_query_string is meant to be used with unsafe input.
So that users can enter anything and it will not throw exception if input is invalid. Will simply discard invalid input.