In elasticsearch, i can access the default search api like
server: 9200/index/_search?q=keyword but how can i replicate this if I am building the query myself? I've tried multi_match and query string, but the result set seem a bit different than the default search api.
PS: i am using elasticsearch PHP client, if that matters
The equivalent query to server:9200/index/_search?q=keyword is a query_string query like this one
{
"query": {
"query_string": {
"query": "keyword"
}
}
}
Related
When I try to run query "myfield < now" inside Kibana DevTools Console it returns zero hits. However when I run same query inside Kibana Discover it returns many hits.
How to get same hits inside console using "now" range?
This is how my request inside console looks like:
GET /myindex/_search
{
"query": {
"query_string": {
"query": "myfield < now"
}
}
}
P.S. myfield is Date field
P.P.S. I am using 7.5.0 version of Elasticsearch
With query_string (which uses the Lucene expression language) you need to do it this way:
GET /myindex/_search
{
"query": {
"query_string": {
"query": "myfield:[* TO now]"
}
}
}
In recent versions of Kibana, the search bar uses KQL, the Kibana Query Language which supports the < operator.
I have two indexes "indexname" and "indexnamelookup" in the elasticsearch instance. And I have created index pattern indexname* in kibana and trying to join two fields "IP"(field in indexname) and "location.IP"(field in indexnamelookup).
GET /indexname*/_search?q=*
{
"query": {
"multi_match": {
"query": "",
"fields": [
"IP",
"location.IP"
]
}
}
}
Above query is working fine in elasticsearch. But it is not working in kibana. Has anyone else faced a similar situation?
The ?q=* in your query turns it into a match all that ignores the body.
I assume we're talking about Discover in Kibana: The query location.IP : "foo" or IP : "foo" will work.
Alternatively you can use your Elasticsearch query in Kibana as well if you add a filter and then use the Query DSL:
As a user of ElasticSearch 5, I have been using something like this to search for a given phrase in all fields:
GET /my_index/_search
{
"query": {
"match_phrase": {
"_all": "this is a phrase"
}
}
}
Now, the _all field is going away, and match_phrase does not seem to work like query_string, where you can simply use something like this to run a search for all fields:
"query": {
"query_string": {
"query": "word"
}
}
What is the alternative for a exact phrase search for all fields without using the _all field from version 6.0?
I have many fields per document so specifying all of them in the query is not really a solution for me.
You can find answer in Elasticsearch documentation https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-all-field.html
It says:
Use a custom field and the mapping copy_to parameter
So, you have to create custom fields in source, and copy all other fields to it.
If I made a request using the URL:
http://myserver/stuff/stuff/_search?q=TEST
Then what is the equivalent document that I would POST to that endpoint without a query string?
I've tried:
{
query: {
term: { "_all": "TEST" }
}
}
But with how our indexes are set up this doesn't return anything (but ?q=TEST does). The most basic search example in the API specifies a field to search against and I don't want to do that. I want to search as open ended and unrestricted as if I had used the query string.
As mentioned in the official documentation, an URI search query string query (i.e. q=...) is equivalent to sending a query_string query in the body.
So this
curl -XGET http://myserver/stuff/stuff/_search?q=TEST
is equivalent to this
curl -XPOST http://myserver/stuff/stuff/_search -d '{
"query": {
"query_string": {
"query": "TEST"
}
}
}'
Both queries will default to searching against the _all field, which is what you want.
q is The query string (maps to the query_string query, see Query
String Query for more details.
From the documentation.
https://www.elastic.co/guide/en/elasticsearch/reference/2.x/search-uri-request.html
This is the corresponding query DSL:
{
query: {
"query_string": { "_all": "TEST" }
}
}
Also relevant:
The default field for query terms if no prefix field is specified.
Defaults to the index.query.default_field index settings, which in
turn defaults to _all.
If I do a search directly to elasticsearch in a browser, such as:
http://localhost:9200/mydocs/_search?q=Awesome%20Search
What does the search body data actually look like? Is it doing a multi_match and including all fields? I've tried writing a multi_match including all the fields and I get different results from doing it right in the browser.
?q=.... is not a multi_match query, this is URI query and it's using query_string query.
So your search is "translated" to:
{
"query": {
"query_string": {
"query": "Awesome Search"
}
}
}
You need to pass multi_match query as request body like this
curl -XGET 'http://localhost:9200/your_index/_search?pretty=true' -d '{"query":{"multi_match":{"query":"keyword","fields":["field1","field2"]}}}'