ES versions tested with: 6.5.4, 7.0.0.
Mapping:
{
"index-name": {
"aliases": {},
"mappings": {
"doc": {
"dynamic": "false",
"properties": {
"content": {
"type": "text"
},
"diffusion_id": {
"type": "keyword"
},
"hostname": {
"type": "keyword"
},
"imei": {
"type": "keyword"
},
"imsi": {
"type": "keyword"
},
"ip_dest": {
"type": "keyword"
},
"ip_source": {
"type": "keyword"
},
"isp_id_dest": {
"type": "keyword"
},
"isp_id_source": {
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"msisdn": {
"type": "keyword"
},
"msisdn_dest": {
"type": "keyword"
},
"msisdn_source": {
"type": "keyword"
},
"protocol": {
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"type": {
"type": "keyword"
},
"url": {
"type": "keyword"
}
}
}
},
"settings": {
"index": {
"creation_date": "1560186019564",
"number_of_shards": "4",
"number_of_replicas": "1",
"uuid": "iAe3BeX4QbSklZfjxSwNSw",
"version": {
"created": "6050499"
},
"provided_name": "cdrs"
}
}
}
}
Query:
{
"size": 50,
"sort": [
{
"timestamp": {
"order": "desc",
"unmapped_type": "date"
}
}
],
"aggs": {},
"version": true,
"query": {
"bool": {
"must": [
{
"match_all": {}
},
{
"query_string": {
"query": "0033568198782 0033698347370",
"analyze_wildcard": true,
"default_operator": "OR"
}
},
{
"range": {
"timestamp": {
"gte": 1396875747000,
"lte": 1724558331000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
},
"_source": {
"excludes": []
},
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
"timestamp"
],
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"*": {
"highlight_query": {
"bool": {
"must": [
{
"match_all": {}
},
{
"query_string": {
"query": "0033568198782 0033698347370",
"analyze_wildcard": true,
"all_fields": true
}
},
{
"range": {
"timestamp": {
"gte": 1396875747000,
"lte": 1724558331000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
}
}
},
"fragment_size": 2147483647
}
}
Here, the field 'msisdn' doesn't match with this query (when the value is let's say: '0033568198782'):
"query_string": {
"query": "0033568198782 0033698347370",
"analyze_wildcard": true,
"default_operator": "OR"
}
But this query matches both, just fine:
{
"query_string": {
"query": "0033568198782 OR 0033698347370",
"analyze_wildcard": true,
"default_operator": "OR"
}
}
But in the docs, it's written:
The default operator used if no explicit operator is specified. For example, with a default operator of
OR
, the querycapital of Hungary
is translated tocapital OR of OR Hungary
, and with default operator ofAND
, the same query is translated tocapital AND of AND Hungary
. The default value isOR
.
This also kind of breaks the behaviour of search bar in kibana where a user has to type 0033568198782 OR 0033698347370
rather than 0033568198782 0033698347370
to match keyword
fields. I get the difference between the tokenized and keyword/raw
fields but this doesn't seem to be intended behaviour in this case. Is it a bug or there is some explanation for it?