Creating Query that matches values using OR within a specific timeframe

lelwar · April 25, 2019, 4:25pm

Hello!
I am trying to create a query to search for different values of a specific field within a timeframe. For example, I want to search for a response with the value “123” OR “321” , AND it was created in the last 5 minutes:

GET /index1/_search
{
"query": {
"bool": {
"must": {
"bool" : {
"should": [
{
"match": {
"responseCode.keyword": "123"
}
},
{
"match": {
"responseCode.keyword": "321"
}
}
],
"must": [
{
"range": {
"ltimestamp": {
"from": "now-5m",
"to": "now"
}
}
}
]
}
}
}
}
}

Nonetheless, when I execute this query I get values that do not correspond to those response codes. What am I missing?

regards,

Israel

lelwar · April 25, 2019, 4:27pm

Sorry, I try to format this now:

GET /index1/_search
{
  "query": {
    "bool": {
      "must": {
        "bool" : { 
          "should": [
        {
          "match": {
            "responseCode.keyword": "123"
          }
        },
        {
          "match": {
            "responseCode.keyword": "321"
          }
        }
      ],
          "must": [
        {
          "range": {
             "log_timestamp": {
                "from": "now-5m",
                "to": "now"
              }
           }
        }
      ] 
        }
      }
    }
  }
}

abdon · April 26, 2019, 7:44am

If you combine a should clause with a must clause then any query inside of the should clause is optional. In other words, if a document just matches the query in the must clause, it's also going to be a hit (but with a lower score).

What you want to achieve can be done by making the should clause it's own bool query, and putting that bool query inside the must clause:

GET /index1/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "log_timestamp": {
              "from": "now-5m",
              "to": "now"
            }
          }
        },
        {
          "bool": {
            "should": [
              {
                "match": {
                  "responseCode.keyword": "123"
                }
              },
              {
                "match": {
                  "responseCode.keyword": "321"
                }
              }
            ]
          }
        }
      ]
    }
  }
}

Now, at least one of the queries in the should clause has to match for a document to be a hit.

abdon · April 26, 2019, 8:00am

Or, alternatively, you can add minimum_should_match to the query. That parameter allows you to specify how many of the queries in the should clause have to match for a document to be considered a hit:

GET /index1/_search
{
  "query": {
    "bool": {
      "should": [
        {
          "match": {
            "responseCode.keyword": "123"
          }
        },
        {
          "match": {
            "responseCode.keyword": "321"
          }
        }
      ],
      "must": [
        {
          "range": {
            "log_timestamp": {
              "from": "now-5m",
              "to": "now"
            }
          }
        }
      ],
      "minimum_should_match": 1
    }
  }
}

system · May 24, 2019, 8:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.