I'm still new to working with elasticsearch queries. I find that my query is returning too many results despite my attempts to request specific results. For example, if I run this query:
GET /test-index/_search
{
"query": {
"bool": {
"must": [
{
"match": {
"rule_id": "bfa2dff0-59f7-11ed-8dbb-df926a4ffacd"
}
}
]
}
}
}
Then I get these results:
{
"took": 0,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 94,
"relation": "eq"
},
"max_score": null,
"hits": [
{
"_index": "test-index",
"_id": "Dik7RIQBiMkQXuxZ_lQL",
"_score": null,
"_source": {
"alert_id": "apm.error_rate_node-app-1_production",
"rule_id": "5f52bbe0-5c75-11ed-ab47-2517decffbca",
"reason": "Error count is 158 in the last 1 min for node-app-1. Alert when > 25.",
"service_name": "node-app-1",
"date": "2022-11-04T20:01:30.576Z"
},
"sort": [
1667592090576
]
},
{
"_index": "test-index",
"_id": "aSk7RIQBiMkQXuxZTlBN",
"_score": null,
"_source": {
"alert_id": "apm.transaction_error_rate_node-app-1_request_production",
"rule_id": "bfa2dff0-59f7-11ed-8dbb-df926a4ffacd",
"reason": "Failed transactions is 50% in the last 1 min for node-app-1. Alert when > 2.0%.",
"service_name": "node-app-1",
"date": "2022-11-04T20:00:43.384Z"
},
"sort": [
1667592043384
]
},
...etc...
Notice that one of the results has rule_id === "5f52bbe0-5c75-11ed-ab47-2517decffbca"
...which is not a result I want to appear. I've been reading other people's questions, and I think maybe this has something to do with analyzers or strings being tokenized? And some people suggested something about mappings?
Here's my mapping:
{
"mappings": {
"properties": {
"alert_id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"date": {
"type": "date"
},
"reason": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"rule_id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"service_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
Can anyone point me in the right direction on how to query for results that have rule_id === "bfa2dff0-59f7-11ed-8dbb-df926a4ffacd"
?