I have a question regarding the ES query string syntax 8Version 1.5.0). I am searching
logstash log-entries containg xml documents and I'd like to search for
documents containg certain XML attributes with certain values. When
my query string looks like this:
id: foo AND attrName="SomeValue" AND field2:bar
I get all documents where:
- id=foo
AND - field2=bar
AND - contain the text attrName AND the text SomeValue
When I change my query to (added parentheses):
id: foo AND (attrName="SomeValue") AND field2:bar
I get all documents where:
- id=foo
AND - field2=bar
AND - contain the text attrName OR the text SomeValue
Why is (attrName="SomeValue") evaluated as attrName OR SomeValue, whereas without parentheses it is attrName AND SomeValue?
My search JSON is:
{
"sort": [
"@timestamp"
],
"query": {
"query_string": {
"query": "mySearchText"
}
},
"fields": [
"_id"
],
"size": 100
}