I have a psaInfo field which is nested.
It is optional and not available on all events, how can I write a query to get all events where there is no psaInfo field?
Here is what I have tried
- The impression is that the elastic does not react to the condition at all. I see in the response documents that have psaInfo
{
"_source": [
"time", "psaInfo", "alertStatus"
],
"query": {
"bool": {
"should": [
{
"bool": {
"must_not": [
{
"nested": {
"path": "psaInfo",
"query": {
"exists": {
"field": "psaInfo"
}
}
}
}
]
}
}
],
"filter": {
"range": {
"time": {
"gte": "2022-10-09"
}
}
}
}
},
"sort": [
{
"time": "desc"
}
],
"size": 1000
}
- I was sure that this query would work since I had used a similar one elsewhere to get documents where not exist psaInfo.type
But when I run it I get an empty response (an empty hits array)
GET /dev_events*/_search
{
"_source": [
"time"
],
"query": {
"bool": {
"must": {
"nested": {
"query": {
"bool": {
"minimum_should_match": 1,
"should": [
{
"bool": {
"must_not": {
"exists": {
"field": "psaInfo"
}
}
}
}
]
}
},
"path": "psaInfo"
}
},
"filter": {
"range": {
"time": {
"gte": "2022-01-09"
}
}
}
}
},
"sort": [
{
"time": "desc"
}
],
"size": 1000
}
- While I was reading different things here, I found out that there is also a flag "ignore_unmapped": true, I tried to use it, but why did I get some random 75 events, although I know that there should be much more of them
GET /dev_events*/_search
{
"_source": [
"time", "psaInfo", "alertStatus"
],
"query": {
"bool": {
"should": [
{
"bool": {
"must_not": [
{
"nested": {
"path": "psaInfo",
"ignore_unmapped": true,
"query": {
"exists": {
"field": "psaInfo"
}
}
}
}
]
}
}
],
"filter": {
"range": {
"time": {
"gte": "2022-10-09"
}
}
}
}
},
"sort": [
{
"time": "desc"
}
],
"size": 1000
}
Help me please. Thanks