We have an index with documents which have the value "-" in a field "referrer". However when we try to exclude these values in Kibana, the documents are not filtered out. Digging deeper we see that ElasticSearch does not respect the query:
The query NOT referrer: \"-\" returns a document with referrer = -.
What is the mapping for the referrer field?
...
"referrer": {
"type": "text"
}
...
Such a field is applying a standard analyzer to the text.
Use the _analyze API to see how your text is transformed. Most likely, nothing is indexed.
I'm confused - the field is text (and not analyzed?) so I can't filter on it's existence?
NOT referrer: \"-\" is not querying on existence of the field but comparing its content. Here you indexed no content. And you are searching for nothing.
Here is an example that shows this:
DELETE test
PUT test/_doc/1
{
"foo": "bar"
}
PUT test/_doc/2
{
"foo": "-"
}
GET test/_search
{
"query": {
"query_string": {
"query": "NOT foo:\"-\""
}
}
}
This gives nothing.
But:
GET test/_search
{
"query": {
"query_string": {
"query": "NOT foo.keyword:\"-\""
}
}
}
Gives:
{
"took" : 20,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 1,
"max_score" : 1.0,
"hits" : [
{
"_index" : "test",
"_type" : "_doc",
"_id" : "1",
"_score" : 1.0,
"_source" : {
"foo" : "bar"
}
}
]
}
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.