Substituting the `_all` mapping

headless · March 6, 2018, 5:24pm

Hey I'm pretty new to ES and since the _all - mapping is deprecated since ES 6.0.0 Id like to know how to get similar results.
What I want to do is search all fields (nested ones inclusive) for a String. As far as I understood it, _all used to concatenate all fields to a single String on which i could run my query on.

Having this query

{
"from": 0, "size": 100,
"query": {
    "bool": {
        "must": [
            {
                "wildcard": {
                    "data.leaf_cert.all_domains": {"value": "*" + q + "*"},
                }
            }
        ]
    }
}
}

how would I achieve to search for all fields instead of only for data.leaf_cert.all_domains ?

dadoonet · March 6, 2018, 5:44pm

If you are new, some advices first:

Don't use wildcards starting with *
Don't use wildcards at all

If you do a query string query in 6.x it will act as it was acting before but without the need of having a _all field. Which is why this has been removed.

If you want to control on which fields you want to search you can do a multimatch query.

Or you can use the copy_to feature to copy the content of fields inside another one at index time and search in that field.

headless · March 7, 2018, 8:41am

thanks for the quick reply.
I came to use regex instead of wildcards (but I wonder, why would there be an option to use wildcards, if the use of it is deprecated?)

when using the multimatch query, is it possible to set the fields to [*] so that every field i selected?

you know, i want to query all fields (which could be 100+) so instead of writing a mapping with at least 100+ fields I like to have an option to query every field.

but when I understood you correctly I really have to do it manually? i.e. with copy_to ormultimatch?
I think there should really be something like "query all fields, but field foo and field bar"

dadoonet · March 7, 2018, 9:36pm

but I wonder, why would there be an option to use wildcards, if the use of it is deprecated?

I never said it's deprecated. I'm just quoting the doc here:

Note that this query can be slow, as it needs to iterate over many terms. In order to prevent extremely slow wildcard queries, a wildcard term should not start with one of the wildcards * or ?.

I came to use regex instead of wildcards

Let me quote the doc:

The performance of a regexp query heavily depends on the regular expression chosen. Matching everything like .* is very slow as well as using lookaround regular expressions. If possible, you should try to use a long prefix before your regular expression starts. Wildcard matchers like .*?+ will mostly lower performance.

when using the multimatch query, is it possible to set the fields to [*] so that every field i selected?

Yes as per doc says: Multi Match Query | Elasticsearch Reference [6.2] | Elastic

so instead of writing a mapping with at least 100+ fields I like to have an option to query every field.

Sure. Anyway in case you want to use copy_to, you can look at dynamic templates to automate that.

Note that using a simple query string query or a query string query does not require you to mention any field. It will act as it was with the _all field. See _all field | Elasticsearch Reference [6.2] | Elastic

system · April 4, 2018, 9:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
What is the alternative way of querying _all from elasticsearch 6.x onwards? Elasticsearch	4	719	May 17, 2020
Wildcard search on all fields Elasticsearch	3	555	February 6, 2023
What is the alternative way of querying _all? Elasticsearch	1	384	December 7, 2019
Dazzled and confused with the _all field in 6.+ Elasticsearch	2	664	September 8, 2017
Elasticsearch 6 and the disappearing _all field Elasticsearch	7	12927	June 14, 2017

Substituting the `_all` mapping

Related topics