I have built an application in C# which searches my Elasticsearch documents and this all works fine using this code....
List<AuditLog> resultsList = Client.SearchAsync<AuditLog>(s => s
.From(0)
.Take(noRows)
.Query(q => q
.Bool(b => b
.Must(mu => mu.MatchPhrase(mp => mp.Field("audit_Event").Query(auditEvents)),
mu => mu.Match(ma => ma.Field(field).Query(value))
)
)
)).Result.Documents.ToList();
This all works fine but there is a new requirement to search the audit_Event field against multiple phrases, such as "User Login", "Add Employee" etc
I have found reference to multi_match but this appears to be more related to searching across multiple fields rather than multiple values in one field.
Following discussions below, TermQuery would seem to do the job but doesn't return any values. Any ideas?
QueryContainer queryAnd = new TermQuery() { Field = "audit_Application", Value = "MyApplication" };
QueryContainer queryOr = new TermQuery() { Field = "audit_Event", Value = "Employee Inserted" };
queryOr |= new TermQuery() { Field = "audit_Event", Value = "Employee Updated" };
QueryContainer queryMain = queryAnd & queryOr;
resultsList = Client.SearchAsync<AuditLog>(s => s
.From(0)
.Take(noRows)
.Query(q => q
.Bool(b => b
.Must(queryMain)
)
)).Result.Documents.ToList();
I've also checked the two queries using Kibana, the first one returns data but the second one doesn't, and am now wondering if it a problem with how the data is indexed....
GET auditlog/_search
{
"query": {
"bool": {
"should": [
{
"match_phrase": {
"audit_Event": "Employee Updated"
}
},
{
"match_phrase": {
"audit_Event": "Employee Inserted"
}
}
]
}
}
}
GET auditlog/_search
{
"query" : {
"terms": {
"audit_Event": ["Employee Updated","Employee Inserted"]
}
}
}