I very much struggle with the elasticsearch synatx. I have a query that almost works except for exact string matching on the labels.system_id values in the below example. Specifying "West-1-a" returns records for "North-West-1-a" as well as "West-1-a". How can I modify my query to limit my labels.system_id to the exact strings I have within my "should" section? Willing to rearchitect the entire query, but just don't know how.

{
 "size"    : 8000,
 "_source" : {
   "includes" : [
     "@timestamp", "labels.system_id", "labels.programNumber", "host.hostname", "container.name", "message"
   ]
 },
 "query"   : {
   "bool"    : {
     "must"    :
       [
         { "match"        : { "message" : "<SpliceInfoSection" } },
         { "match_phrase" : { "message" : "segmentationTypeId=55" } }
       ],
     "should"  : [
       { "match_phrase" : { "labels.system_id" : "West_ATP-1-a" } },
       { "match_phrase" : { "labels.system_id" : "West_ATP-1-b" } }
     ],
     "minimum_should_match" : 1,
     "filter" : {
       "range" : {
         "@timestamp" : {
           "gte" : "2019-10-02T22:00:00.000Z",
           "lt"  : "2019-10-03T02:00:00.000Z"
         }
       }
    }
   }
 }
}

Matching Record excerpts:

"labels": {
"system_id": "West_ATP-1-b",
"programNumber": "6"
}

...

"labels": {
"system_id": "North-West_ATP-1-b",
"programNumber": "6"
}

I've tried several things including modifying my filter, and using term. No luck.

Thanks in advance!

Use "labels.system_id.keyword"

Thank you so much, that worked perfectly. I've got a lot more research to do on elasticsearch.

When you want to match exactly you should perhaps use a term search
https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-term-query.html

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.