Hi,
I have a need to search our log indices to:
- find documents containing fields with names prefixed with a specific string
- return those fields
- return the field "application.name", which is a standard field
How might I go about doing this?
Thx
D
Hi dawiro,
You want to search for prefixed fields that have some content, right? Normally the exists query would do the trick, but that cannot be used in conjunction with wildcards. However the query_string query supports wildcards:
PUT my-index/_doc/1
{
"application.name": "my-app",
"fooz": "hello world"
}
PUT my-index/_doc/2
{
"application.name": "my-app",
"barz": "what's up"
}
PUT my-index/_doc/3
{
"application.name": "my-app",
"food": "hello again"
}
POST my-index/_search
{
"query": {
"query_string": {
"query": "*",
"default_field": "foo*" // Returns docs 1 and 3
}
},
"fields": [
"application.name", "foo*"
]
}
Hopefully this helps!
This is useful thank you. How can I exclude an application.name of a particular value?
You need to write a compound bool query with a must clause on the query string above, and a must_not clause on application.name, i.e.
POST _search
{
"query": {
"bool": {
"must": {
"query_string": {
"query": "*",
"default_field": "foo*"
}
}
},
"must_not": {
"term": {
"application.name" : "value_you_dont_want"
}
}
}
}
}
Make sure you're matching on the correct field type of application.name - if it's text, use a match query, if it's keyword, use term. (More info here.)
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.