Match_phrase not giving expected output

sanjaykirushnan · May 3, 2019, 4:09pm

This is my sample json in elastic search

 {
  "_index": "logstash-dds-2019.05.03",
  "_type": "dds_next",
  "_id": "AWp-Y_-uIGa9uJGBjmoM",
  "_version": 1,
  "_score": null,
  "_source": {
    "runDateTime": "2019-05-03 15:48:36",
    "input_type": "log",
    "packageId": "c625c475-9341-44d0-9e0b-caf9028d364a",
    "type": "dds_next",
    "reRun": "false",
    "packageName": "Package_Sftp_Customer_ABC",
    "status": "PACKAGE_COMPLETED"
  }
}

When i apply this DSL i don't get any result

{
  "query": {
    "bool": {
      "must": [
        {
          "match_phrase": {
            "status": "PACKAGE_COMPLETED"
          }
        },
        {
          "match_phrase": {
            "reRun": "false"
          }
        },
		{
		  "match_phrase": {
		    "packageName": "Package_Sftp_Customer"
		   }
		},
		{
          "match_phrase": {
            "runDateTime": "2019-05-03"
          }
        }
      ]
    }
  }
}

But i get output when i try this

{
  "query": {
    "bool": {
      "must": [
        {
          "match_phrase": {
            "status": "PACKAGE_COMPLETED"
          }
        },
        {
          "match_phrase": {
            "reRun": "false"
          }
        },
		{
          "match_phrase": {
            "runDateTime": "2019-05-03"
          }
        }
      ]
    }
  }
}

Any reason why i am not able to match phrase on packageName?

dadoonet · May 3, 2019, 5:54pm

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

This is the icon to use if you are not using markdown format:

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Please update your post.

It depends on the mapping/analyzer you are using. But as you indexed Package_Sftp_Customer_ABC It probably does not match.

sanjaykirushnan · May 3, 2019, 6:45pm

this data is put in elastic through logstash.

how will i know what analyzer i am using?
The mapping is automatically created by Elasticsearch when the data is first written in index through logstash.

i don't understand what you mean here.
Can i do a pattern search for this like Package_Sftp_Customer_* if yes what is the query i should use?

Can u please explain.

dadoonet · May 6, 2019, 12:22pm

The mapping will tell you that. If it's a text field without any analyzer defined then it will use Standard analyzer | Elasticsearch Guide [8.11] | Elastic

You indexed "packageName": "Package_Sftp_Customer_ABC" and you are searching for "packageName": "Package_Sftp_Customer". That obviously not equal. But that might match depending on how the analyzer is processing the text.

I'd recommend using the Analyze API to understand what is happening behind the scene. https://www.elastic.co/guide/en/elasticsearch/reference/current/_testing_analyzers.html

You can use a Wildcard query but this is slow. Or you can use a edge ngram based analyzer: Edge n-gram token filter | Elasticsearch Guide [8.11] | Elastic

system · June 3, 2019, 12:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.