Searching for multiple hyphenated terms

lrietze · June 19, 2017, 9:36pm

Hi all,

I am new to the ELK stack, and am in need of some help with querying with Elasticsearch. In essence what I am trying to do is perform a query like such:

select * from source where (message = abc-def OR def-ghi OR abc-jkl OR ...)

The problem I am having though is I can get to a point where I can successfully find matches for just one hyphenated tern, but not multiples. I was wondering if there is a query related solution that wouldn't involve me skipping analysing the field, or changing the mappings?

Thanks!

dadoonet · June 19, 2017, 10:13pm

You can try a match phrase with "abc-def" or "abc def". That should work in your case.

But the best option is to define the right mapping/analyzer for your fields.

lrietze · June 20, 2017, 3:44pm

Thanks for the quick reply dadoonet. The match phrase helped me match on one term. I ended up following the idea in the "Combining Filters" guide which - with the match phrase - seems to have solved my problem.

GET _search
{
"size": 5000,
"query": {
"bool": {
"must": {
"bool": {
"should": [
{
"match":{
"message":{
"query":"abc-def",
"operator": "AND"
}
}
},
{
"match":{
"message":{
"query":"abc-ghi",
"operator": "AND"
}
}
},
{
"match":{
"message":{
"query":"abc-jkl",
"operator": "AND"
}
}
},
{
"match":{
"message":{
"query":"def - 34",
"operator": "AND"
}
}
},
{
"match":{
"message":{
"query":"hij - 27",
"operator": "AND"
}
}
},
{
"match":{
"message":{
"query":"31083",
"operator": "AND"
}
}
},
{
"match":{
"message":{
"query":"31070",
"operator": "AND"
}
}
}
]
}
}
}
}
}

dadoonet · June 20, 2017, 4:18pm

Well. You are doing match phrase but match all the terms whatever the order is.

Which means that abc def will match as well as def abc.

Not exactly a phrase here

lrietze · June 20, 2017, 5:53pm

Hmm, I guess I haven't run into a case where they are flipped because I don't have that in my test data. Any suggestions on how to fix my match phrase? Do I need to create a custom analyser? (I'm not entirely familiar with the analyser / mapping features)

Thanks!

dadoonet · June 20, 2017, 9:07pm

As I said, "the best option is to define the right mapping/analyzer for your fields."

Use a keyword type instead of text. Then you will only be able to search for the full and complete string.

DELETE test
PUT test 
{
  "mappings": {
    "doc": {
      "properties": {
        "message": {
          "type": "keyword"
        }
      }
    }
  }
}
PUT test/doc/1
{
  "message": "abc-def"
}

Then try to use a match query with abc-def (should match) and def-abc (should not match).

HTH

system · July 18, 2017, 9:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.