Hi
i have created a mapping that looks like this:
PUT /mylogs_1/_mapping
{
"properties": {
"logEvents": {
"type": "nested",
"properties": {
"id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"message": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"timestamp:": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
}
I have input a document:
PUT /mylogs_1/_doc/1
{
"logEvents": [
{
"message":"abc",
"id": "1",
"timestamp:":"12345"
},
{
"message":"def",
"id": "2",
"timestamp:":"10000"
},
{
"message":"ggg",
"id": "3",
"timestamp:":"33333"
}
]
}
But when I do a search:
GET /mylogs_1/_search
{
"query": {
"nested": {
"path": "logEvents",
"query": {
"bool": {
"must": [
{
"match": {
"logEvents.message": "abc"
}
}
]
}
}
}
}
}
The return result is giving me all 3 messages inside logEvents.
{
"took" : 2,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 0.9808291,
"hits" : [
{
"_index" : "mylogs_1",
"_type" : "_doc",
"_id" : "1",
"_score" : 0.9808291,
"_source" : {
"logEvents" : [
{
"message" : "abc",
"id" : "1",
"timestamp:" : "12345"
},
{
"message" : "def",
"id" : "2",
"timestamp:" : "10000"
},
{
"message" : "ggg",
"id" : "3",
"timestamp:" : "33333"
}
]
}
}
]
}
}
How would I do the search query or the mapping such that it will only return me just
{
"message":"abc",
"id": "1",
"timestamp:":"12345"
}
Thanks,
ck