Limit search return to exact match for URL

MarkStewart · January 24, 2019, 9:36pm

I have an index I am searching that has a field under _source called request_path.

This field has some similar URLs saved in over 38,000 documents.
in the format (under _source)
"request_path": "/v1/api-portal/teams/",
"request_path": "/v1/api-portal/teams/fbf167c0-67fd-4239-8437-62b48bd25439",
"request_path": "/v1/api-portal/teams/a3f73bda-2c0b-4e4c-aa08-e3351c13727c",

I tried several variations of match_phrase to just return the 1st example "/v1/api-portal/teams/" and not return any of the variations like the 2nd and 3rd line above. Filtering is not possible as the GUID changes and there are many variations.
I just want to see documents with "/v1/api-portal/teams/" but NOT any with extra GUID like "/v1/api-portal/teams/fbf167c0-67fd-4239-8437-62b48bd25439",

The query I was using is close to giving me what I need as it gets 95% correct but it still finds documents with a score high enough to get the GUID in the answer.

What i got closest with.

GET /portal.api*/_search?size=10000
{
"query": {
"match_phrase" : {
"request_path" : "/v1/api-portal/teams"
}
}
}

Any hints to clean out the request_path items with the GUID and only return the portion w/o the GUID? I just need documents with this to return. "request_path": "/v1/api-portal/teams" and nothing else

Thanks in advance.
(ps I have been away from ELK for a period since around the 2.5.4 release era and am now back using it at a new job running on Version 5.5)

MarkStewart · January 24, 2019, 10:05pm

Mapping for the request_path field is as follows
"request_path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}

abdon · January 24, 2019, 11:31pm

Try querying the request_path.keyword multifield with a regular match query:

GET /portal.api*/_search?size=10000
{
  "query": {
    "match": {
      "request_path.keyword": "/v1/api-portal/teams"
    }
  }
}

The keyword multifield is not analyzed, and allows you to search for exact matches.

If you're coming from 2.x, you may remember the .raw multifields. Those offered the same functionality back in 2.x

MarkStewart · January 25, 2019, 1:22pm

Abdon,
Thank you very much. This is what I was looking for. Yes I do remember the .raw data and was what I was looking for but couldn't seem to find what it changed to or how to work around it not being there.

Thanks again.

Mark

system · February 22, 2019, 1:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
NEST search by guid returning more documentes, how to escape "-" char? Elasticsearch	4	1767	January 24, 2017
Search in HTTP request field Kibana	3	3864	November 10, 2017
Best query to only return documents matching a nested unique id 'id' and not the ES _id field? Elasticsearch	9	1526	December 14, 2020
Filtering with minimum_should_match: "100%" not using all tokens in field Elasticsearch	5	2929	July 5, 2017
Get count of analyzed strings as a result back within list of fields Elasticsearch	3	714	December 19, 2016

Limit search return to exact match for URL

Related topics