How to search in Elasticsearch when same field is present multiple times?

Elastic Stack Elasticsearch
1

I'm trying to figure out how do I search an index when same field is present multiple times. Look at the below example:

"_source" : {
          "field1" : "value1",
          "field_list" : [
            {
              "xx" : "aa",
              "yy" : "bb",
              "zz" : "cc"
            },
            {
              "xx" : "acfg",
              "yy" : "abcd123",
              "zz" : "xyz321"
            }
			],
          "tags" : [
            "_aggregatefinalflush"
          ],
          "field3" : null
        }

I want to query with "xx" and "yy" as parameter. But when I search like this:

GET /indexname/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "field_list.xx": "aa"
          }
        },
        {
          "match": {
            "field_list.yy": "abcd123"
          }
        }
      ]
    }
  }
}

It returns this document. I want to get this document only when "xx" and "yy" of the same object matches with the parameter. Is it possible? If yes, could anyone please share the correct way to query? Thanks in advance!

2

Hi!
What type is "field_list" field?

3

Hey!

My mapping looks something like this:

"mappings" : {
      "properties" : {
        "field_list" : {
          "properties" : {
            "xx" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            },
            "yy" : {
              "type" : "date"
            },
            "zz" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            }
          }
        },
        "field1" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        }
	}
}

Just FYI, this nested field is constructed through logstash 'aggregate' filter plugin while inserting the json fetched from DB.

4

For your query to work you need to change your mapping to use nested field type and then rewrite you query as a nested query.

2 Likes
5

I would take Christian advice.

6

Thank you so much for the reply @Christian_Dahlqvist.

So, basically I need to define mapping from the logstash while indexing. Could you please share any documentation where I could define mapping from logstash?

Also, most of the mapping created by logstash is ok, and only one mapping (field_list) I need to define in logstash. So, can I define only single mapping?

7

You generally specify mappings through index templates. You may get Logstash to upload this for you but I prefer to manage it directly in Elasticsearch instead.

1 Like
8

Thank you so much! I think index template is what I was looking for.

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.