DSL Query for text in quotes

VSP · April 23, 2020, 11:16pm

Hello,

I have a sample message as below in log with several other messages too:
{"kind":"user_test","sts":"2020-04-23 10:26:29","uc":,"rc":"ok","errc":0}

I am trying to write a query to find all the messages with a combination of
"kind":"user_test" and "rc":"ok" and "errc":0

I tried using multi_match and match phrase, however its ignoring the and condition and just selecting all the messages with any of the above keywords.

Can someone help if you have a similar DSL query that you used anywhere please

Luca_Belluccini · April 23, 2020, 11:55pm

Hello @VSP

I think the query syntax you're proposing better matches the Query String query API.

GET /_search
{
    "query": {
        "query_string" : {
            "query" : "kind:user_test AND rc:ok AND errc:0",
            "default_field" : "content"
        }
    }
}

Boolean operators must be UPPERCASE.

VSP · April 24, 2020, 12:24am

Hello,

That dint work, probably because of the way the messages are in the log with quotes.

Below is the full message i see in the log:
{"kind":"user_test","sts":"2020-04-23 10:26:29","uc":,"rc":"ok","errc":0}

How do i ensure that the full text including the quotes is being compared?
"kind":"user_test"

Luca_Belluccini · April 24, 2020, 12:41am

Hello @VSP

Sorry, my bad. I misunderstood the problem.

You have a some text such as {"kind":"user_test","sts":"2020-04-23 10:26:29","uc":,"rc":"ok","errc":0} in a text field in a document in Elasticsearch.

If the text is contained in a text field named message, you can search with:

GET your_index_name/_search
{
  "query": {
    "query_string": {
      "query": "\"\"kind\":\"user_test\"\" AND \"\"rc\":\"ok\"\" AND \"\"errc\":0\"",
      "default_field": "message"
    }
  }
}

VSP · April 24, 2020, 12:51am

Hello Luca,

Thanks for your response. While the query did work this time, the problem is that it separated the text ("kind":"user_test" ) as separate words and any hits on either KIND or USER_TEST in the entire log was selected. Ideally it should have been just those messages with the combination of full text : ["kind":"user_test"] along with the ["rc":"ok"] and ["errc":0]

Luca_Belluccini · April 25, 2020, 5:53pm

When you index some text, it gets analyzed by Elasticsearch.

Using the default analyzer:

POST _analyze
{
  "text": [ "{\"kind\":\"user_test\",\"sts\":\"2020-04-23 10:26:29\",\"uc\":,\"rc\":\"ok\",\"errc\":0}" ]
}

Internally Elasticsearch will generate the tokens:

{
  "tokens" : [
    {
      "token" : "kind",
      "start_offset" : 2,
      "end_offset" : 6,
      "type" : "<ALPHANUM>",
      "position" : 0
    },
    {
      "token" : "user_test",
      "start_offset" : 9,
      "end_offset" : 18,
      "type" : "<ALPHANUM>",
      "position" : 1
    },
    {
      "token" : "sts",
      "start_offset" : 21,
      "end_offset" : 24,
      "type" : "<ALPHANUM>",
      "position" : 2
    },
    {
      "token" : "2020",
      "start_offset" : 27,
      "end_offset" : 31,
      "type" : "<NUM>",
      "position" : 3
    },
    {
      "token" : "04",
      "start_offset" : 32,
      "end_offset" : 34,
      "type" : "<NUM>",
      "position" : 4
    },
    {
      "token" : "23",
      "start_offset" : 35,
      "end_offset" : 37,
      "type" : "<NUM>",
      "position" : 5
    },
    {
      "token" : "10",
      "start_offset" : 38,
      "end_offset" : 40,
      "type" : "<NUM>",
      "position" : 6
    },
    {
      "token" : "26",
      "start_offset" : 41,
      "end_offset" : 43,
      "type" : "<NUM>",
      "position" : 7
    },
    {
      "token" : "29",
      "start_offset" : 44,
      "end_offset" : 46,
      "type" : "<NUM>",
      "position" : 8
    },
    {
      "token" : "uc",
      "start_offset" : 49,
      "end_offset" : 51,
      "type" : "<ALPHANUM>",
      "position" : 9
    },
    {
      "token" : "rc",
      "start_offset" : 55,
      "end_offset" : 57,
      "type" : "<ALPHANUM>",
      "position" : 10
    },
    {
      "token" : "ok",
      "start_offset" : 60,
      "end_offset" : 62,
      "type" : "<ALPHANUM>",
      "position" : 11
    },
    {
      "token" : "errc",
      "start_offset" : 65,
      "end_offset" : 69,
      "type" : "<ALPHANUM>",
      "position" : 12
    },
    {
      "token" : "0",
      "start_offset" : 71,
      "end_offset" : 72,
      "type" : "<NUM>",
      "position" : 13
    }
  ]
}

Another search query might be quite equivalent:

GET crazytest/_search
{
  "query": {
    "query_string": {
      "query": "kind AND user_test AND rc AND ok AND errc AND 0",
      "default_field": "message"
    }
  }
}

If you really want to search for specific strings within the text, you should change the analyzer (but it will require reindexing) or try to query on the keyword field (if you have the same data but in a keyword field), but it will be an heavy query as you will need to rely on leading wildcards or a regular expression.
Ref:

system · May 23, 2020, 5:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.