Hey there.
The following Query is not working as I expect it to. Message is a string field.
Should this not only show me those messages, which containt the String "RCV[" ?
Should this not only show me those messages, which containt the String "RCV[" ?
Hey,
I assume your "Message" field is analyzed (otherwise the search result should be different)?
Analyzed values are splitted up on indexing at some word boundaries (e.g. special signs like brackets). That way, the value you are actually searching in, doesn't contain those brackets anymore, and such the query will also be stripped of them, leaving you to just search for RCV, which will match all the documents, that you need.
If you want to search for values including those brackets, you would need an non analyzed field. If you are using Elasticsearch 5 and above, there should be a field named Message.keyword, which contains the non analyzed value. To search for what you want, you would need to search for:
Message.keyword:RCV\[*
You need to escape the bracket with a backslash, otherwise the query would be invalid. You also need to suffix the * so it won't just search for exact matches, but also for values beginning with that substring.
In contrast, if you search for Message.keyword:"RCV\[*", you would really search for fields, that contain the exact string RCV\[* in it (including the backslash and the asterisk).
I tried to sum how the analyzing and mapping of strings influence querying in a blogpost.
Cheers,
Tim
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.