Inside Kibana, I want to get all documents where CUR=ABC occurs in one of the array element and is followed by ACTION=HOVER in some other array element. So, I should ideally get only Doc1 as the resultset.
My query in Kibana ARR.CUR:ABC AND ARR.ACTION:HOVER is fetching me both documents Doc1 and Doc2.
One "structured" approach is to use nested documents with a combination of a Boolean query to ensure cur:ABC and action:hover both appear in the object followed by some form of script logic to affirm the sequences in the array.
An alternative "unstructured" approach would be to (ab)use the phrase query capability by presenting your data in more of a string form e.g. terms that combine existing field names and values into single tokens e.g.
[ "CUR_ABC .... ACTION_HOVER "] etc
Then you can use regular "word1 near word2" type text queries to find matches.
I am currently using the 2nd solution (unstructured) inside my data.
I am using logstash indexers to split out everything in array into text field.
Then searching the text field (keyword) by regex queries. Its working as expected.
I want to have more overview on your 1st solution.
If I get it correctly from this documentation:
Internally, nested objects index each object in the array as a separate hidden document, meaning that each nested object can be queried independently of the others
So, as per my example in Doc1, using nested type, I should only be able to query ARR.CUR:ABC AND ARR.ACTION:CLICK (both inside 1st element) but not what I want to, which is ARR.CUR:ABC AND ARR.ACTION:HOVER
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.