Filtering based on wildcard field name and synamicly adding them to _source

Elastic Stack Elasticsearch
1

Hi everyone!
I have a doc the looks like this:

{
"field1_isChanged": "false",
"field1_value": "someVal1",
"field2_isChanged": "true",
"field2_value": "someVal2",
"field3_isChanged": "true",
"field3_value": "someVal3",
...
}

  1. What I would like to do is to search for the values of the fields that changed, in other words: find the values of FIELD where FIELD_isChanged = true.
    I tried:

    {
 "query": {
 "query_string": {
   "fields": ["*_isChanged"],
   "query": "true"
 }
}
}

But this return empty.
Is there a way do do this?

  1. when the search works, I don't want to see the entire doc, I want only the fields that matched the query. Usually, I would sort the fields I want to see in "_source", but here I don't know beforehand the names of the fields that will match, only that there FIELD_isChange is "true". Is there a way to dynamicly add field to _source? And how about using wildcard in the field name in _source?

Thanks to anyone who can help!

2

I have a question. Why not indexing fields individually instead of a document containing multiple fields?

3

Like how?
like this?

{
  "mappings": {
    "_doc": {
      "properties": {
        "FIELD": {
           "fields":{
             "isChanged":"true"
           } 
        }
      }
    }
  }
}

Can something like this can be done?
If you can elaborate on what you meant I could answer you more easly...

4

Like this:

PUT fields/_doc/1
{
  "field_isChanged": "false",
  "field_value": "someVal1"
}

PUT fields/_doc/2
{
  "field_isChanged": "true",
  "field_value": "someVal2"
}
5

I prefer not to do that because I have about 500+ fields, so sepertaing each field and sending http request for each one will be problematic.

6

May be. I don't know the use case but according to what you described, you are searching for specific fields. You said that you don't want to see other fields if I understood correctly.

So if you have:

{
  "field1_isChanged": "false",
  "field1_value": "someVal1",
  "field2_isChanged": "true",
  "field2_value": "someVal2",
  "field3_isChanged": "true",
  "field3_value": "someVal3"
}

when the search works, I don't want to see the entire doc, I want only the fields that matched the query.

So basically you'd like to see something:

{
  "field_isChanged": "true",
  "field_value": "someVal3"
}
{
  "field_isChanged": "true",
  "field_value": "someVal2"
}

If I'm wrong, it'd be better to share a real example.

7

You are right, this is what I want to achieve.
Basicly: SELECT FIELD1_VALUE WHERE FIELD2 = SOMEVALUE
or in this example: get all fieldValue where field_isChanged = true.
Is there an easy way to do that?
I want to point out that, if possible, I would like to search for a field with wildcard, if I don't know the filed name in advance, for example:
get all FIELDValue where FIELDNAME_isChanged = true, and FIELD can be specific field or all fields that their respective FIELD_isChanged that matches the query. Can this wildcard style search can be done or will I need to search for specific field everytime?
But the idea of using field and adding attributes to the mapping is intriguing. Can I just add to a value a sub field of isChanged and solve the whole thing by searching for: fieldVal where field.ischanged = true (in the same way one adds raw:keyword to a field)?

8

I think you will need to do that on client side or may be with nested type field and inner hits...

9

so there is no way to get the results I want?

10

As I said, may be with nested type and inner hits.

11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.