DSL compound Queries

waitangi · April 23, 2023, 8:53pm

Hi everyone

I have following DSL queries:

GET eclaims-logs-2023.04.21/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "thread_name" : "http-nio-5050-exec-7"
          }
        }
      ]
    }
  }
}

It works well and returns 5036 results. All results have the value of 'thread_name' equals 'http-nio-5050-exec-7'.
Second query returns documents added beetween '2023-04-21T08:06:15.220Z' and '2023-04-21T08:06:15.500Z'. Number of such documents is 14

GET eclaims-logs-2023.04.21/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "@timestamp": {
              "gte": "2023-04-21T08:06:15.220Z",
              "lt": "2023-04-21T08:06:15.500Z"
            }
          }
        }
      ]
    }
  }
}

The third query that combines previus condiions is:

GET eclaims-logs-2023.04.21/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "@timestamp": {
              "gte": "2023-04-21T08:06:15.220Z",
              "lt": "2023-04-21T08:06:15.500Z"
            }
          }
        },
        {
          "match": {
            "thread_name" : "http-nio-5050-exec-7"
          }
        }
      ]
    }
  }
}

the query returns 14 results, and seems to ignore match condition.
In my opinion the result should be 2.

Thanks in advance.

warkolm · April 27, 2023, 1:51am

Do all the results match the must though?

waitangi1 · May 18, 2023, 7:09pm

waitangi:

"query": {
    "bool": {
      "must": [
        {
          "range": {
            "@timestamp": {
              "gte": "2023-04-21T08:06:15.220Z",
              "lt": "2023-04-21T08:06:15.500Z"
            }
          }
        },
        {
          "match": {
            "thread_name" : "http-nio-5050-exec-7"
          }
        }
      ]
    }
  }

That's the point. Only 2 documents in the index matches 2 conditions...
I want a simple query that matches 2 conditions.
Am I missing anything?

Christian_Dahlqvist · May 18, 2023, 8:05pm

What is the mapping of the thread_name field?

Can you show one sample document that you expect the compound query to match and one that is returned by should not match?

Did you go through and inspect all 5036 results?

dhondup · May 18, 2023, 8:25pm

@waitangi1

Let's say the first match query == A which returns 5036 results and the range query == B which returns 14 results based on your question above.

Since the bool must query is an AND operation, it will find the intersection of the two results (A and B). Out of 5036 results that already matched A, 14 of them also matched B. That sounds correct.

How were you verifying that there were only 2 documents that matched the combined query?

system · June 15, 2023, 8:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.