How to search in Elasticsearch when same field is present multiple times?

Vipul_Kumar · May 23, 2022, 9:50am

I'm trying to figure out how do I search an index when same field is present multiple times. Look at the below example:

"_source" : {
          "field1" : "value1",
          "field_list" : [
            {
              "xx" : "aa",
              "yy" : "bb",
              "zz" : "cc"
            },
            {
              "xx" : "acfg",
              "yy" : "abcd123",
              "zz" : "xyz321"
            }
			],
          "tags" : [
            "_aggregatefinalflush"
          ],
          "field3" : null
        }

I want to query with "xx" and "yy" as parameter. But when I search like this:

GET /indexname/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "field_list.xx": "aa"
          }
        },
        {
          "match": {
            "field_list.yy": "abcd123"
          }
        }
      ]
    }
  }
}

It returns this document. I want to get this document only when "xx" and "yy" of the same object matches with the parameter. Is it possible? If yes, could anyone please share the correct way to query? Thanks in advance!

RabBit_BR · May 23, 2022, 12:41pm

Hi!
What type is "field_list" field?

Vipul_Kumar · May 23, 2022, 4:11pm

Hey!

My mapping looks something like this:

"mappings" : {
      "properties" : {
        "field_list" : {
          "properties" : {
            "xx" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            },
            "yy" : {
              "type" : "date"
            },
            "zz" : {
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "type" : "keyword",
                  "ignore_above" : 256
                }
              }
            }
          }
        },
        "field1" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        }
	}
}

Just FYI, this nested field is constructed through logstash 'aggregate' filter plugin while inserting the json fetched from DB.

Christian_Dahlqvist · May 23, 2022, 4:20pm

For your query to work you need to change your mapping to use nested field type and then rewrite you query as a nested query.

RabBit_BR · May 23, 2022, 5:03pm

I would take Christian advice.

Vipul_Kumar · May 24, 2022, 4:34am

Thank you so much for the reply @Christian_Dahlqvist.

So, basically I need to define mapping from the logstash while indexing. Could you please share any documentation where I could define mapping from logstash?

Also, most of the mapping created by logstash is ok, and only one mapping (field_list) I need to define in logstash. So, can I define only single mapping?

Christian_Dahlqvist · May 24, 2022, 4:42am

You generally specify mappings through index templates. You may get Logstash to upload this for you but I prefer to manage it directly in Elasticsearch instead.

Vipul_Kumar · May 24, 2022, 6:30am

Thank you so much! I think index template is what I was looking for.

system · June 21, 2022, 6:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.