Issue with elasticsearch query - dot in field values

Sampson_Light · February 20, 2021, 9:36am

Hello,

There's an issue with the use of . in my field value.

The sample below is a 'valid' query that returns some hits

Copy to clipboard

{
  "query": {
    "bool": {
      "must": [
        {
          "wildcard": {
            "Address": "abcdef*"
          }
        },
        {
          "match": {
            "Message.Code": "AA101"
          }
        },
        {
          "range": {
            "DateCreated": {
              "gte": "2020-01-04",
              "lte": "2020-01-04"
            }
          }
        }
      ],
      "must_not": [],
      "should": []
    }
  }
}

However, the problem starts when I change Message.Code from "AA101" to "AA101.extra", resulting in 0 hits.

Copy to clipboard

{
  "query": {
    "bool": {
      "must": [
        {
          "wildcard": {
            "Address": "abcdef*"
          }
        },
        {
          "match": {
            "Message.Code": "AA101.extra"
          }
        },
        {
          "range": {
            "DateCreated": {
              "gte": "2020-01-04",
              "lte": "2020-01-04"
            }
          }
        }
      ],
      "must_not": [],
      "should": []
    }
  }
}

Please advise how I should go about this.

Thanks!
Sam

aaron-nimocks · February 20, 2021, 4:09pm

Can you provide sample data and the associated mapping?

Sampson_Light · February 20, 2021, 4:32pm

Hello Aaron,

I am unsure what do you mean by a sample data and the associated mapping.

The issue i'm facing is that inside my index, I have a field name Message.Code.

Within the Message.Code field, it contains 4 types of values:
AA101, AA101.extra, AA200 & AA999.

When I run a simple count query for each of these 4 values, only AA101.extra returns nothing > probably due to the dot annotation used.

Do you know if elasticsearch has some kind of limitation for dots?

Regards
Sam

aaron-nimocks · February 20, 2021, 4:42pm

I tested this and it seems to work correctly so would possibly lead to the other parts of the query?

Mapping

{
"type" : "text",
"fields" : {
"keyword" : {
 "type" : "keyword",
 "ignore_above" : 256
 }
}

POST test/_doc
{
  "Message.Code": "AA101"
}

POST test/_doc
{
  "Message.Code": "AA101.extra"
}

GET test/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "Message.Code": "AA101.extra"
          }
        }
      ]
    }
  }
}

Sampson_Light · February 20, 2021, 5:09pm

The "type" I am using is _doc rather than "text".

I just tried it again, somehow its working this time round, just for clarification, it doesn't matter what "type" I am using right?

Thanks
Sam

aaron-nimocks · February 20, 2021, 5:11pm

I don't think the type would have mattered since you should get results if it was a text or keyword type. Glad it's working now.

Text is for being able to search within the data.

Keyword is used for exact matches and searching is not allowed.

system · March 20, 2021, 5:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.