Using must_not and wildcard to search

Elastic Stack Elasticsearch
1

Hi,

I am new to Elasticsearch and Kibana. I am using the Kibana Dev Tools to search Elasticsearch. What I want to do is find all results that don't match a wildcard term. If I try this a search with

  "must_not": [
    {
    "match": {
      "message": "JOINNG"          
    }

it returns as expected - no results with message=JOINING

if I try with a wildcard however like so

  "must_not": [
    {
    "wildcard": {
      "message": "JOIN*"
    }

It returns messages with JOINING in. Can you use Wildcard with a must_not statement?

2

What is the datatype of the message field?
It must be keyword, as wildcard works only with not analyzed fields.

https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-wildcard-query.html

3

Its text. I did a GET _mapping/field/message and it shows this. Doesn't not say whether its analysed or not. Is default analysed?

  "logstash-2018.05.31": {
    "mappings": {
      "fluentd": {
        "message": {
          "full_name": "message",
          "mapping": {
            "message": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            }
          }
        }
      }
    }
  },
4

Yes, that's the reason why it's not working,
so in your query, you should use the "not analyzed" version of the message field, which is message.keyword, according to the mapping.

  "must_not": [
    {
    "wildcard": {
      "message.keyword": "JOIN*"
    }
1 Like
5

Thats it. Thanks very much klof

6

@sirbrian you're welcome

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.