Quotation marks search stopped working in v6.6

Elastic Stack Elasticsearch
1

Hello
I have an indexed field in my elastic:
"HTTP_Error_Body" : {
"type" : "text",
"norms" : false,
"index_options" : "docs"
}
At version 5.5 when I searched kibana by guid enclosed in quotation marks (in order to find error messages, which contained it), I succesfully got the results, for example:

"ec22e9d2-98b2-11e0-b8c2-0017085b945f"

the value of HTTP_Error_Body in result:
ec22e9d2-98b2-11e0-b8c2-0017085b945f; blah blah />

But in v. 6.6 such search returns nothing, although mapping and queries are the same.

Does anyone has a clue how this could be fixed?

2

can you please probive a fully reproducible example for 6.6 and 5.6. Without the mapping, the index creation and the full query it will be nearly impossible to properly reproduce.

Thank you!

--Alex

3

Hello, Alex. Thank you for response.

Here are scripts for issue reproduction:

Kibana Scripts 
PUT issue_test
{
	"mappings": {
		"iibevent": {
			"properties": {
				"HTTP_Error_Body": {
					"type": "text",
					"norms": false,
					"index_options": "docs"
				},
				"creationTime": {
					"type": "date",
					"format": "strict_date_optional_time || epoch_millis"
				}

			}
		}
	}
}


POST issue_test/iibevent
{
"HTTP_Error_Body":"error in transaction ec22e9d2-98b2-11e0-b8c2-0017085b945f: bad request",
"creationTime":"2019-04-03T12:55:41.908108Z"
}

POST issue_test/iibevent/_search
{
  "size": 1000,
  "sort": [
    {
      "creationTime": {
        "order": "desc",
        "unmapped_type": "boolean"
      }
    }
  ],
	"query": {
    "bool": {
      "must": [
        {
          "query_string": {
            "query": "\"ec22e9d2-98b2-11e0-b8c2-0017085b945f\"",
            "analyze_wildcard": true
          }
        },
        {
          "range": {
            "creationTime": {
              "gte": 1554293216941,
              "lte": 1554296816941,
              "format": "epoch_millis"
            }
          }
        }
      ],
      "must_not": []
    }
  },
  "aggs": {
    "2": {
      "date_histogram": {
        "field": "creationTime",
        "interval": "1m",
        "time_zone": "Europe/Minsk",
        "min_doc_count": 1
      }
    }
  }
}

If I run them for both 5 and 6 version, I get differrent search result: 1 result at v.5 (as intended) and no results at v.6
All other settings between the instances are the same/

I've also noticed that if I remove the line
"index_options": "docs"
from mapping, the search at v6 works fine, but this is not a solution, as I don't want to change indexing type. Could not find any clues in changelogs as well

Dmitry

4

it seems you are trying to search the _all field by not specifying a field in your search. This does not work in 6.0 anymore. See https://www.elastic.co/guide/en/elasticsearch/reference/6.6/mapping-all-field.html

try using a match query and specify the field you want to search in

5

Thanks, Alexander. But that's the way kibana searches, I took queries from there.
Does that mean that it is no longer possible to get results I need by typing "ec22e9d2-98b2-11e0-b8c2-0017085b945f" in kibana search field?

It's also not quite clear for me why does index_options affect the searchablity of my guid if _all field is switch off anyway

6

On top of my head I think that kibana used the default_field of the query string query to specify a field or select all.

7

Thank you, Alexander.
As far as i understand first solution is to create a custom field "all" with default index_options value and make a rule to copy all other indexable fields to it. It will also be required to switch default_field to "all" for kibana.
On the other hand, I can just switch index_options for all fields to default value. I did not want to do that, but apparently on my data it takes ~30% less disk space.

So, the question is: What would be a right choice here?

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.