How to list non empty field names based on search criteria on elasticsearch

ehmd96 · May 25, 2023, 3:26pm

we are encountering an issue on elasticsearch trying to display fields based on certain search criteria.

We have an index with a "payload" field which has multiple properties

What we are trying to do is to request the index to retrieve properties based on criteria.

For example, for all the logs where payload.codeClient=something, list all other payload properties ever set in messages matching that criteria.

We have tried some requests so far but none of them worked properly

GET our_alias_name/_search
{ 
  "size": 100, 
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "timestamp": {
              "gte": "now-6M/M" 
            }
          }
        },
        {
          "query_string": {
            "default_field": "codeMessage",
            "query": "TRT*"
          }
        },
        {
          "match": {
            "payload.typeObjet.keyword": "paiement"
          } 
        }
      ]
    }
  },
  "fields": [
    "payload.*"
  ],
  "sort": [
    {
      "timestamp": {
        "order": "desc"
      }
    }
  ],
  "_source": false
}

And what we got as an answer was:

{
  "took" : 304,
  "timed_out" : false,
  "_shards" : {
    "total" : 2,
    "successful" : 2,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 10000,
      "relation" : "gte"
    },
    "max_score" : null,
    "hits" : [
      {
        "_index" : "index_name",
        "_type" : "_doc",
        "_id" : "ySzVVogB36_bMKME_Ll0",
        "_score" : null,
        "fields" : {
          "payload.applicationCible.keyword" : [
            "Kyriba"
          ],
          "payload.codeBranche" : [
            "MEF"
          ],
          "payload.typeObjet" : [
            "paiement"
          ],
          "payload.applicationSource.keyword" : [
            "SAGE MEF"
          ],
          "payload.typeObjet.keyword" : [
            "paiement"
          ],
          "payload.applicationSource" : [
            "SAGE MEF"
          ],
          "payload.codeBranche.keyword" : [
            "MEF"
          ],
          "payload.applicationCible" : [
            "Kyriba"
          ]
        },
        "sort" : [
          1685084047337346939
        ]
      },
      {
        "_index" : "azure_aks_container_logs",
        "_type" : "_doc",
        "_id" : "uhbVVogBXEyG-ruo_HKV",
        "_score" : null,
        "fields" : {
          "payload.applicationCible.keyword" : [
            "Kyriba"
          ],
          "payload.codeBranche" : [
            "RHU"
          ],
          "payload.typeObjet" : [
            "paiement"
          ],
          "payload.applicationSource.keyword" : [
            "RHPI"
          ],
          "payload.typeObjet.keyword" : [
            "paiement"
          ]....................

but the test above does not show a field wich has not been set in query result, and what we want to get as an answer is not an array with messages content but an array with all field names that have ever been filled and respecting the criteria payload.typeObjet=paiement

We have looked at the possibility of using aggs but as said previously, what we want as an answer is an exhaustive list of ever filled (non empty) field names matching the search criteria

dadoonet · May 25, 2023, 4:07pm

Bonjour

And welcome.

Please don't post images of text as they are hard to read, may not display correctly for everyone, and are not searchable.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

Then could you provide a full recreation script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.

A full reproduction script is something anyone can copy and paste in Kibana dev console, click on the run button to reproduce your use case. It will help readers to understand, reproduce and if needed fix your problem. It will also most likely help to get a faster answer.

system · June 22, 2023, 4:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic search query to check if property is empty/non-empty Elasticsearch	2	16710	July 25, 2022
How to get all Field names with filter(or query) criteria on ElasticSearch? Elasticsearch	3	428	October 4, 2021
Query for the fields which is non empty Elasticsearch	6	3546	December 2, 2023
Searching non-indexed fields Elasticsearch	2	1968	April 3, 2023
How to get the field names which have no data or null in elasticsearch dynamically? Elasticsearch	1	265	January 10, 2022

How to list non empty field names based on search criteria on elasticsearch

Related topics