Must_not field exists query returning documents with those fields excluded

Elastic Stack Elasticsearch
1

Hi all, I don't know if it is a bug, but it seems to me or I am missing something maybe too.
I am performing a search query using the rest API of ES. I am using 5.6.8, the body query is the following (the involved part):

{
"query": {
"bool": {
"must_not": [
{
"exists": {
"field": "event.KPI.TimeE1.Value"
}
},
{
"exists": {
"field": "event.KPI.TimeE2.Value"
}
}
]....

in return Elasticsearch give a document with one or more of those fields that in theory I am excluding:
"_source": {
"@timestamp": "2018-05-15T05:46:22.733Z",
"@version": "1",
"event": {
"KPI": {
"TimeE2": {
"Value": "2018-05-15T05:46:20.000+0000"
},.....

Is this because the must_not clause is applying an OR operator instead of an AND? Can achieve the same result in Lucene Expression? I have tried but I couldn't.

2

You should try rewriting the query as follows:

"query" : {
  "bool" : {
    "must" : [
        {
            "bool" : {
				"must_not" : [
					{
						#first clause
					}
				]
			}
        },
		{
			"bool" : {
				"must_not" : [
					{
						#second clause
					}
				]
			}
		}
    ]
}
}

Hope that helps.

1 Like
3

Worked perfectly, thank you Rahul, many thanks..

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.