Unable to query for exact term

I'm still new to working with elasticsearch queries. I find that my query is returning too many results despite my attempts to request specific results. For example, if I run this query:

GET /test-index/_search
{
"query": {
        "bool": {
          "must": [
           {
             "match": {
               "rule_id": "bfa2dff0-59f7-11ed-8dbb-df926a4ffacd"
             }
           }
        ]
      }
  }
}

Then I get these results:

{
  "took": 0,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 94,
      "relation": "eq"
    },
    "max_score": null,
    "hits": [
      {
        "_index": "test-index",
        "_id": "Dik7RIQBiMkQXuxZ_lQL",
        "_score": null,
        "_source": {
          "alert_id": "apm.error_rate_node-app-1_production",
          "rule_id": "5f52bbe0-5c75-11ed-ab47-2517decffbca",
          "reason": "Error count is 158 in the last 1 min for node-app-1. Alert when > 25.",
          "service_name": "node-app-1",
          "date": "2022-11-04T20:01:30.576Z"
        },
        "sort": [
          1667592090576
        ]
      },
      {
        "_index": "test-index",
        "_id": "aSk7RIQBiMkQXuxZTlBN",
        "_score": null,
        "_source": {
          "alert_id": "apm.transaction_error_rate_node-app-1_request_production",
          "rule_id": "bfa2dff0-59f7-11ed-8dbb-df926a4ffacd",
          "reason": "Failed transactions is 50% in the last 1 min for node-app-1. Alert when > 2.0%.",
          "service_name": "node-app-1",
          "date": "2022-11-04T20:00:43.384Z"
        },
        "sort": [
          1667592043384
        ]
      },
...etc...

Notice that one of the results has rule_id === "5f52bbe0-5c75-11ed-ab47-2517decffbca"...which is not a result I want to appear. I've been reading other people's questions, and I think maybe this has something to do with analyzers or strings being tokenized? And some people suggested something about mappings?

Here's my mapping:

{
  "mappings": {
    "properties": {
      "alert_id": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "date": {
        "type": "date"
      },
      "reason": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "rule_id": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "service_name": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      }
    }
  }
}

Can anyone point me in the right direction on how to query for results that have rule_id === "bfa2dff0-59f7-11ed-8dbb-df926a4ffacd"?

Hi @learningelastic

Think you should read a blog about the difference between keyword and text such as this blog

Then you should decide how you want to store and search those fields.

If you only ever want to search with exact match then store as keyword and do a terms search.

If you want to tokenize (break up the string both on store and search) and do partial matches then use text to store and match to search

If you want both... store with the default mapping and do

term search on rule_id.keword

or

match on rule_id

really important concepts to understand if you want to use.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.