Hello, can you help me understand, why simple query not working.
I have a simple index with default settings:
PUT my_index/doc/1
{
"path": "C:\\Windows\\system32\\cmd.exe"
}
Why the following query doesn't return anything?
GET my_index/_search
{
"_source": "path",
"query": {
"query_string": {
"query": "(path: *\\system32\\*.exe)"
}
}
}It's likely a mismatch with how the document was analyzed, and how the query is being analyzed. I would use the Analyze API to see how the document is tokenized. You can then see how the query is tokenized with the Explain API and compare the two. Usually it becomes obvious how the two are analyzed differently and you can make corrections.
I have checked analyzer and it gives standard output.
GET my_index/_analyze
{
"text" : "C:\\Windows\\system32\\cmd.exe"
}
gives:
{
"tokens": [
{
"token": "c",
"start_offset": 0,
"end_offset": 1,
"type": "<ALPHANUM>",
"position": 0
},
{
"token": "windows",
"start_offset": 3,
"end_offset": 10,
"type": "<ALPHANUM>",
"position": 1
},
{
"token": "system32",
"start_offset": 11,
"end_offset": 19,
"type": "<ALPHANUM>",
"position": 2
},
{
"token": "cmd.exe",
"start_offset": 20,
"end_offset": 27,
"type": "<ALPHANUM>",
"position": 3
}
]
}
Seems problem in escaping of star sign. "\" should be "\\"
Following query works as expected:
GET my_index/_search
{
"_source": "path",
"query": {
"query_string": {
"query": "(path.keyword: *\\system32\\\\*.exe)"
}
}
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.