Hello Guys,
I found an interesting issue, where i found no clear explanation to and i hope you guys can help us.
We are currently running 7.5.1 on dozens of clusters and i wonder what precisely is the differently behavior between KQL and Lucene, when it comes to find something.
As everybody or most are aware that since v6 the _all field is depricated it looks like KQL can simulate it somehow. Please check the following examples, i processed in Lucene and KQL.
Lucene vs KQL
Example 1: json.@product: "smartapp" AND json.message: "error" -> 1:1 (Both match)
Example 2: "smartapp" AND "error" -> 0:1 (Kql match)
Example 3: smartapp and error -> 0:1 (kql match)
It looks like KQL doesnt really care anymore for the fact that you have to pinpoint the field you are looking into which Lucene needs.
So searching for a specific terms ends up empty in Lucene but KQL get matched.
Is there some technical documentation on how precisely KQL works and what is the technical difference between Lucene and KQL?
Thank you for any insight,
best,
Nomek