Is it possible to search on the field name through wildcard?

Miguel_BA · March 26, 2021, 8:36am

Hello, I need to make a query that returns all the document names that have a value greater than 3.
The problem is that the names of the documents are changing and are all different, so I do not know the full name of the documents, only their first initials.

    {
    "name":"mike",
    "surname" : "perez",
    "CVE-1232131123":"5" 
    }

The document is CVE-1232131123, always matches the initial CVE, but the following digits are random.
Is there a way to filter out documents with a number greater than 3 without specifying the entire field?
Thank you

Christian_Dahlqvist · March 26, 2021, 9:01am

It is IMHO general bad practice to have field names containing a value like that as it could lead to mapping explosion. It would be better to create a separate field for the CVE designation. As far as I know you can not do wildcard on field names.

dadoonet · March 26, 2021, 9:10am

Agreed. I'd do something like:

{
    "name":"mike",
    "surname" : "perez",
    "cve-name": "CVE-1232131123",
    "cve-level": 5 
}

And BTW I'd make the cve-level a number and not a string.

Miguel_BA · March 26, 2021, 9:46am

you are right that it is a bad practice, and I have indicated to modify the JSON in the way as you have said, with unique fields. But the above documents are created and I am looking into how to fix it with Elasticsearch.
I have looked at the query_string with range function:

Do you think this function can help me?
Thanks for your answers

dadoonet · March 26, 2021, 10:06am

I'd reindex the existing documents.
Either by reinjecting them from the source with the new schema or by using the reindex API with an ingest pipeline which can transform your documents.

system · April 23, 2021, 10:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.