Painless test on Array length

Elastic Stack Elasticsearch
1

Hi,
I'm trying to display only documents with more than one value in an array.
My naïve approach was to do

    {
        "query": {
            "bool": {
                "must": {
                    "script": {
                        "script": {
                            "inline": "doc['srcPortsMap'].values.length > 1 ",
                            "lang": "painless"
                        }
                    }
                }
            }
        }
    }

But I got that error: No field found for [srcPortsMap] in mapping with types []

but mapping exists

      "srcPortsMap": {
        "properties": {
          "count": {
            "type": "long"
          },
          "port": {
            "type": "long"
          }
        }
      },

any idea?
Thanks

1 Like
2

Hey Sebastien!

I'd compute that at index time instead of having to compute that at search time which is going to be slow as it has to go through all the hits. Specifically here that you have a match_all query.

You can do that with ingest and an ingest script processor on on your side (even better).

BTW does your field exist for all documents?

3

Thanks for the advice

Yes it exists on all documents, but it can be a single value or an array of values

4

You should double check all docs actually have the srcPortMap field. It will only show as missing if the doc being evaluated does not have a value for the field.

But calculating this at index time will be much more efficient, as David suggested.

5

Thanks for your help
I'll do it at index time. In the mean time, is there a way in painless to check if field srcPortsMap exists?

6

Yes. doc is a Java Map, so you can use containsKey:

if (doc.containsKey('srcPortsMap')) {
   /* do something with doc['srcPortsMap'] */
} else {
  /* field does not exist */
}
7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.