How to do a NOT IN like query in Elastic?

Sewalita_Duara · August 2, 2018, 4:58pm

Hello

Is NOT-IN like query doable in Elastic?

Example, index has the following fields & data

_id, job_id, transaction, data_source
1, 123, read, RDBMS
2, 123, read, File
3, 123, write, File
4, 124, read, File
5, 124, export, RDBMS
6, 125, read, RDBMS
7, 126, export, RDBMS
8, 127, write, File

How to query records for jobs that do not include File read

SELECT * FROM ... WHERE job_id NOT IN (SELECT job_id FROM ... WHERE transaction='read' AND data_source='File')

Expected results -

_id, job_id, transaction, data_source
6, 125, read, RDBMS
7, 126, export, RDBMS
8, 127, write, File

Thanks

forloop · August 7, 2018, 11:40pm

It's not possible to perform this kind of set-based operation.

If the SELECT statement inside of NOT IN(...) targets the same index, then this could be achieved with a bool query with two must_not clauses e.g.

{
  "query": {
    "bool": {
      "must_not": [
      {
        "term": {
          "transaction": {
            "value": "read"
          }
        }
      },
      {
        "term": {
          "data_source": {
            "value": "File"
          }
        }
      }]
    }
  }
}

which would be the equivalent of SQL

SELECT * 
FROM 
    jobs 
WHERE 
    transaction <> 'read' 
AND 
    data_source <> 'File'

Sewalita_Duara · August 8, 2018, 7:26pm

Thank @forloop for the response

The SELECT statement inside of NOT IN targets the same index.

But the

SELECT *
FROM jobs
WHERE transaction <> 'read' AND data_source <> 'File'

would yield

_id, job_id, transaction, data_source
1, 123, read, RDBMS
3, 123, write, File
5, 124, export, RDBMS
6, 125, read, RDBMS
7, 126, export, RDBMS
8, 127, write, File

different from the desired

SELECT * FROM jobs WHERE job_id NOT IN (SELECT job_id FROM jobs WHERE transaction='read' AND data_source='File')

_id, job_id, transaction, data_source
6, 125, read, RDBMS
7, 126, export, RDBMS
8, 127, write, File

forloop · August 8, 2018, 10:19pm

Ah I see, I missed the piece where the clauses are applied across job_id.

I don't believe there's an equivalent way to do this. Two ways that I would propose:

Denormalizing the data to nest transaction and data_source tuples as a collection of nested objects mapped as nested types. Then use a nested query with similar logic as before to exclude documents.

or

Perform two queries. First to retrieve the job_id that match transaction = read and data_source = File . Second, to query with the job_id applied in a terms query inside of a bool query must_not clause. Depending on the number of ids that we're dealing with, the queries may need to be further partitioned.

Both approaches have their tradeoffs.

system · September 5, 2018, 10:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
NOT IN replacement in elasticsearch sql query Elasticsearch	4	16	August 6, 2024
How to: Elastic Search - Efficient/Compact “Not In” Operator Elasticsearch	2	14265	January 19, 2018
SQL IN clause equivalent Elasticsearch	7	16511	October 22, 2018
Is there any solution to do the “NOT IN” functionality in Elasticsearch? Elasticsearch	4	453	July 6, 2017
Query question: must not match anything but xyz Elasticsearch	2	940	July 6, 2017

How to do a NOT IN like query in Elastic?

Related Topics