Query Assistance Needed

Hi,
I have a need to search our log indices to:

  • find documents containing fields with names prefixed with a specific string
  • return those fields
  • return the field "application.name", which is a standard field

How might I go about doing this?

Thx
D

Hi dawiro,

You want to search for prefixed fields that have some content, right? Normally the exists query would do the trick, but that cannot be used in conjunction with wildcards. However the query_string query supports wildcards:

PUT my-index/_doc/1
{
  "application.name": "my-app",
  "fooz": "hello world"
}

PUT my-index/_doc/2
{
  "application.name": "my-app",
  "barz": "what's up"
}

PUT my-index/_doc/3
{
  "application.name": "my-app",
  "food": "hello again"
}


POST my-index/_search
{
  "query": {
    "query_string": {
      "query": "*",
      "default_field": "foo*" // Returns docs 1 and 3
    }
  },
  "fields": [
    "application.name", "foo*"
  ]
}

Hopefully this helps!

This is useful thank you. How can I exclude an application.name of a particular value?

You need to write a compound bool query with a must clause on the query string above, and a must_not clause on application.name, i.e.

POST _search
{
  "query": {
    "bool": {
      "must": {
        "query_string": { 
          "query": "*",
            "default_field": "foo*"
          }
        }
      },
      "must_not": {
        "term": {
          "application.name" : "value_you_dont_want"
        }
      }
    }
  }
}

Make sure you're matching on the correct field type of application.name - if it's text, use a match query, if it's keyword, use term. (More info here.)