I have the following code that queries across _all fields which include first, last, and date of birth:
POST /user/_search
{
"query": {
"match": {
"_all": {
"query": "John Doe 08/11/1992",
"operator": "and"
}
}
}
}
It works fine but I have a special case where if the date you query is not what is matched in the record but is 1/11/1111 then it should return the user as a match. For example:
POST /user/_search
{
"query": {
"match": {
"_all": {
"query": "John Doe 11/11/111",
"operator": "and"
}
}
}
}
Should find the document even though the correct birthday is 08/11/1992. How would one go about this exception?
Either use 'or' in the query. If this returns to many irrelevant results then try a Bool Query and split the name and the date. Then you can match on the exact name and only on parts of the date.
Related
I get log files from my firewall which i want to filter for several strings.
However the string contains always some other information. So i want to filter the whole string for some specific words which are always in the string: "User" "authentication" "failed.
I tried this but i do not get any data from it:
"query": {
"bool": {
"must": [
{
"range": {
"#timestamp": {
"gt": "now-15m"
}
}
},
{
"query_string": {
"query": "User AND authentication AND failed"
}
}
]
}
}
}
However i cannot find the syntax for specific filtering words in strings. Hopefully some of you can help me.
This is the message log ( i want to filter "event.original"): Screenshot
I need to search through a database with 3 keywords(3 queries), and I need to tell the user which of the keywords (query) that gave a result.
I've been looking into Named Queries as a possible solution.
https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-named-queries-and-filters.html
I was wondering if it is possible to apply named queries to a nested query?
According to the documentation:
The search response will include for each hit the matched_queries it
matched on.
So I tried with just one easy query to see how it works, I got a result, but no "matched_queries". Did I do something wrong?
This is my query in Kibana: (Im not using actual name)
GET database/document/_search
{
"query": {
"nested": {
"path": "first_path",
"query": {
"nested" : {
"path" : "second_path",
"query" : {
"match": {
"match_field": {
"query": "First query",
"_name" : "query"
}
}
}
}
},
"inner_hits": {}
}
}
}
From what I can see in
https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-named-queries-and-filters.html
The search response will include for each hit the matched_queries it
matched on. The tagging of queries and filters only make sense for the
bool query.
It looks like you should use "bool" query in your inner-most query:
.
.
.
"query" : {
"bool": {
"should" {
…
}
}
}
I'm not very experienced with Elastic but is it possible to aggregate and filter on the same key?
Say I want to be able to filter on the city and aggregate on the department ID for counts of a certain department in that city, but also be able to filter on that as well. Think of it as a checkbox for the city, then children checkboxes under city which can also be filtered on, or 'checked'.
This may be a dumb question but is there anyway to do this? I know it is invalid JSON due to the same key (department.id). Would the pipeline aggregation be something viable to use?
The top query would be a "match_all" query.
Aggregations such as:
"aggregations": {
"department.id": {
"terms": {
"field": "department.id",
"size": 10
}
},
"department.id": {
"filter": {
"bool": {
"filter": {
"terms": {
"city": ["chicago"]
}
}
}
}
}
}
I'm trying perform an elasticsearch query as a POST request in order pull data from the index which I created. The data which is in the index is, a table from MySQL DB, configured though logstash.
Here is my request and the JSON body:
http://localhost:9200/response_summary/_search
Body:
{
"query": {
"query_string": {
"query": "transactionoperationstatus:\"charged\" AND api:\"payment\" AND operatorid:\"XL\" AND userid:*test AND time:\"2015-05-27*\" AND responsecode:(200+201)"
}
},
"aggs": {
"total": {
"terms": {
"field": "userid"
},
"aggs": {
"total": {
"sum": {
"script": "Double.parseDouble(doc['chargeamount'].value)"
}
}
}
}
}
}
In the above JSON body, I'm in need to append the timestamp into the query_string in order get the data from the index within a date range. I tried adding at the end of the query as:
AND timestamp:[2015-05-27T00:00:00.128Z+TO+2015-05-27T23:59:59.128Z]"
Where am I going wrong? Any help would be appreciated.
You just need to remove the +as they are only necessary when sending a query via the URL query string (i.e. to URL-encode the spaces), but if you use the query_string query, you don't need to do that
AND timestamp:[2015-05-27T00:00:00.128Z TO 2015-05-27T23:59:59.128Z]"
^ ^
| |
remove these
Currently developing a tag search application using elasticsearch, I have given each document within the index an array of tags, here's an example of how a document looks:
_source: {
title: "Keep in touch scheme",
intro: "<p>hello this is a test</p> ",
full: " <p>again this is a test mate</p>",
media: "",
link: "/training/keep-in-touch",
tags: [
"employee",
"training"
]
}
I would like to be able to make a search and only return documents with all of the specified tags.
Using the above example, if I searched for a document with tags ["employee", "training"] then the above result would be returned.
In contrast, if I searched with tags ["employee", "other"], then nothing would be returned; all tags within the search query must match.
Currently I am doing:
query: {
bool: {
must: [
{ match: { tags: ["employee","training"] }}
]
}
}
but I am just getting returned exceptions like
IllegalStateException[Can't get text on a START_ARRAY at 1:128];
I have also tried concatenating the arrays and using comma-delimited strings, however this seems to match anything given the first tag matches.
Any suggestions on how to approach this? Cheers
Option 1: Next example should work (v2.3.2):
curl -XPOST 'localhost:9200/yourIndex/yourType/_search?pretty' -d '{
"query": {
"bool": {
"must": [
{ "term": { "tags": "employee" } } ,
{ "term": { "tags": "training" } }
]
}
}
}'
Option 2: Also you can try:
curl -XPOST 'localhost:9200/yourIndex/yourType/_search?pretty' -d '{
"query": {
"filtered": {
"query": {"match_all": {}},
"filter": {
"terms": {
"tags": ["employee", "training"]
}
}
}
}
}'
But without "minimum_should_match": 1 it works little bin not accurate.
I also found "execution": "and" but it works not accurate too.
Option 3: Also you cat try query_string it works perfectly, but looks little bit complicated:
curl -XPOST 'localhost:9200/yourIndex/yourType/_search?pretty' -d '{
"query" : {
"query_string": {
"query": "(tags:employee AND tags:training)"
}
}
}'
Maybe it will be helpful for you...
To ensure that the set contains only the specified values, maintain a secondary field to keep track of the tags count. Then you can query like below to get the desired results
"query":{
"bool":{
"must":[
{"term": {"tags": "employee"}},
{"term": {"tags": "training"}},
{"term": {"tag_count": 2}}
]
}
}