Highlighting wrong when index.query.default_field is set

Elastic Stack Elasticsearch
1

Hi,

I have an index with a mapping that includes "index.query.default_field": "message". When I make a search against this index, using just a "*" for query, and set highlighting options, the results I get back have the string "Message" highlighted, if it occurs in the value of the message field. I suspect this is because of the way elasticsearch handles internally the default_field setting. Like this:

GET _search
{
  "size": 1,
  "query": {
    "bool": {
      "must": [
        {
          "query_string": {
            "query": "*",
            "analyze_wildcard": true
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": 1481787693324,
              "lte": 1481787693324,
              "format": "epoch_millis"
            }
          }
        }
      ]
    }
  },
  "highlight": {
    "fields": {
      "*": {}
    },
    "require_field_match": false
  }
}

{
  "took": 1683,
  "timed_out": false,
  "_shards": {
    "total": 321,
    "successful": 321,
    "failed": 0
  },
  "hits": {
    "total": 7,
    "max_score": 2,
    "hits": [
      {
        "_index": "log-qradar-20161215",
        "_type": "logs",
        "_id": "AVkBbdlgkS35GOS6IIl1",
        "_score": 2,
        "_source": {
          "input": "1514/tcp",
          "@timestamp": "2016-12-15T07:41:33.324Z",
          "port": 57367,
          "@version": "1",
          "message": "<13>Dec 15 08:38:51 hostname.dot.com AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=7.2.2.984723\tSource=Microsoft-Windows-Security-Auditing\tComputer=hostname.dot.com\tOriginatingComputer=ip.address\tUser=\tDomain=\tEventID=4662\tEventIDCode=4662\tEventType=16\tEventCategory=4608\tRecordNumber=13543854504\tTimeGenerated=1481787526\tTimeWritten=1481787526\tLevel=Log Always\tKeywords=Audit Failure\tTask=SE_ADT_DSACCESS_DSACCESS\tOpcode=Info\tMessage=",
          "tags": [],
          "source_ip": "ip.address"
        },
        "highlight": {
          "message": [
            "=Log Always\tKeywords=Audit Failure\tTask=SE_ADT_DSACCESS_DSACCESS\tOpcode=Info\t<em>Message</em>="
          ]
        }
      }
    ]
  }
}

I believe this shouldn't be happening, but I'm quite new to elasticsearch so I'm not sure. Is this the expected behaviour or not?

Thanks for your thoughts.

Best,
Dan

PS: I'm aware of Unexpected highlighted words matching with value of index.query.default_field but that was posted in the Kibana forum so it may not have gotten the proper attention. That's why I decided to post here in the Elasticsearch forum as well.

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.