When I'm trying to search for a documents with such query (field indexed with Standard analyzer):
"query": {
"match": {
"Book": "OG/44"
}
}
I've got terms 'OG' and '44' and the result set will contain results where could be either of these terms. What analyzer/tokenizer I should use to get results when only both of terms are present?
You can set operator in match query (by default it is or)
"query": {
"match": {
"Book": {
"query": "OG/44",
"operator" : "and"
}
}
}
You have two tokens because standard analyzer tokenized them by slash, so if you need not this behaviour you can escape it
Related
I am using kibanna
I am trying to put filter on a field container_name = "armenian"
but I have other container names with following names
armenian_alpha
armenian_beta
armenian_gama
armenian1
armenian2
after putting the filter , search query in kibanna becomes
{
"query": {
"match": {
"container_name": {
"query": "armenian",
"type": "phrase"
}
}
}
}
But the output searches logs for all containers , as I can see the Elastic search query is using a pattern matching
How can I put an exact match with the string provided and avoid the rest ?
You can try out with term query. Do note that it is case sensitive by default unless you specify with case_insensitive equals to true. Also, if your container_name is a text field type instead of keyword field type, do add the .keyword after the field name. Otherwise, ignore the .keyword.
Example:
GET /_search
{
"query": {
"term": {
"container_name.keyword": {
"value": "armenian"
}
}
}
}
Link here: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-term-query.html
I would recommend using a direct wildcard in query or wildcard as follow
GET /_search
{
"query": {
"match": {
"container_name": {
"query": "*armenian",
"type": "phrase"
}
}
}
}
GET /_search
{
"query": {
"wildcard": {
"container_name": {
"value": "*armenian"
}
}
}
}
With *armenian you are ensuring that armenian comes at the end.
I have a field with tokenizer that splits by dots.
on search, the following value aaa.bbb will be splitted to two terms aaa and bbb.
My question is how to write bool query that will contain multiple conditions on the same term?
For example, i want to get all docs where its field contains a term that matches a fuzzy search for gmail but also the same term must not contain gamil.
Here are some examples of what i want to achieve:
bmail // MATCH: since its matches fuzzy search and is not gamil
gamil.bmail // MATCH: since the term bmail matches fuzzy search and is not gamil
gamil // NO MATCH: since its matches fuzzy search and but equals gamil
NOTE: the following query does NOT appear to be working since it looks as if one term matches one condition and the second term matches the other, it will be considered a hit.
{
...
"body": {
"query": {
"bool": {
"must": [
{
"fuzzy": {
"my_field": {
"value": "gmail",
"fuzziness": 1,
"max_expansions": 2100000000
}
}
},
{
"bool": {
"must_not": [
{
"query_string": {
"default_field": "my_field",
"query": "*gamil*",
"analyzer": "keyword"
}
}
]
}
}
]
}
}
},
}
I ended up using Highlight by executing fuzzy (or any other) query, and then programatically filter the results by the returned highlight object.
span queries might also be a good option if you don't need regular expression or you can make sure you don't exceed the boolean query limit.
(see more details in the provided link)
{
"size": 0,
"query": {
"bool": {
"must": [
{
"range": {
"timestamp": {
"gte": "now-30m/m"
}
}
},
{
"match": {
"type": "ERROR"
}
},
{
"wildcard": {
"Name": "*Rajesh*"
}
},
{
"wildcard": {
"Name": "*Shiv*"
}
}
]
}
}
}
I want search in the name field using wildcard that matches any of the two wildcard values (Rajesh,Shiv).And i need to look tat the results from last 30 minutes. When i am using this wildcard, it does not give me any result. Replacing 'Wildcard' with 'match' worked though . like "match" :"Rajesh" or "match" :"Shiv". Is there something wrong with usage of wildcard in my query ?
Most probably cause of the error is that you are using text field to store the names like Rajeash and Shiv and text fields by default uses the standard analyzer which lowercase the generated tokens so tokens would be creates as rajesh and shiv. Note the lowercase in the tokens.
When you use the match query, it uses the same analyzer so again it search with lowercase tokens and you get the result while wildcard query you are specifying the capital letter which doesn't matches the tokens in index.
change your wildcard query to *rajesh* and *shiv* and it should work, otherwise provide the mapping to further debug the issue.
Works as expected:
{
"query": {
"query_string": {
"query": "Hofstetten-Grünau"
}
}
}
an added wildcard at the end delivers no results and I wonder why:
{
"query": {
"query_string": {
"query": "Hofstetten-Grünau*"
}
}
}
how to fix it?
elasticsearch v5.3.2
This delivers results:
{
"query": {
"query_string": {
"query": "Hofstetten*"
}
}
}
I use a single search field. The end user can freely use wildcards as they see fit. A user might type in:
hofstetten grünau
+ort:hofstetten-grünau
+ort:Hofstetten-G*
so using a match query wont work out for me.
I am using Jest (Java Annotations) as Mapping, and using "default" for this field. My index mapping declares nothing special for the field:
{
"mappings": {
"_default_": {
"date_detection": false,
"dynamic_templates": [{
}]
}
}
}
Adding the wildcard "*" at the end of your query string is causing the query analyzer to interpret the dash between "Hofstetten" and "Grünau" as a logical NOT operator. So you're actually searching for documents that contain Hofstetten but do NOT contain Grünau.
You can verify this by doing the following variations of your search:
"query": "Hofstetten-XXXXX" #should not return results
"query": "Hofstetten-XXXXX*" #should return results
To fix this I would recommend using a match query instead of a query_string query:
{"query": {"match": { "city": "Hofstetten-Grünau" }}}'
(with whatever your appropriate field name is in place of city).
I am new to Elasticsearch. This is the how my document look like :
_source :
{
"name": "this is my title",
"address" : "1300 S Belmont Road"
"ID= : 54000"
}
When i run this query :
Query 1 :
"query": {
"filtered": {
"query": {
"query_string": {
"query": "*Belmont*",
"fields": ["name^5", "address^4","ID^3"]
}
},
"filter": {...}
}
}
I get 51 results
Query 2:
But this one gives 123 results :
"query": {
"filtered": {
"query": {
"query_string": {
"query": "*Belmont*",
}
},
"filter": {...}
}
}
Why is it that the queries give different results even thogh I am Running the query on all the fields in Query 1
Mappings :
Address and Name are both string and "not_analyzed"
This is because the way _all field works. Your first query is looking for *Belmont* in specified fields with specific analyzer honored. It is internally converted to bool query and matched with each field individually.
Since address is not_analyzed, 1300 S Belmont Road will be stored as it is but _all field will have space delimited words with standard analyzer applied like 1300, s , belmont etc. From the Doc
The _all field is a special catch-all field which concatenates the
values of all of the other fields into one big string, using space as
a delimiter, which is then analyzed and indexed, but not stored.
so your second query operates on _all field and gives you more results.
Also your first query wont match "address" : "1300 S Belmont Road" as by default it will be lowercased while using wildcard so it will search for belmont and wont find it. You can change this behavior with lowercase_expanded_terms which is true by default. Try this
"query": {
"filtered": {
"query": {
"query_string": {
"query": "*Belmont*",
"fields": ["name^5", "address^4","ID^3"],
"lowercase_expanded_terms" : false
}
},
"filter": {...}
}
}
You might get more results depending on how you have stored names and address.
Hope this helps!