Using must_not and wildcard to search

sirbrian · June 5, 2018, 10:37am

Hi,

I am new to Elasticsearch and Kibana. I am using the Kibana Dev Tools to search Elasticsearch. What I want to do is find all results that don't match a wildcard term. If I try this a search with

  "must_not": [
    {
    "match": {
      "message": "JOINNG"          
    }

it returns as expected - no results with message=JOINING

if I try with a wildcard however like so

  "must_not": [
    {
    "wildcard": {
      "message": "JOIN*"
    }

It returns messages with JOINING in. Can you use Wildcard with a must_not statement?

klof · June 5, 2018, 10:53am

What is the datatype of the message field?
It must be keyword, as wildcard works only with not analyzed fields.

https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-wildcard-query.html

sirbrian · June 5, 2018, 11:34am

Its text. I did a GET _mapping/field/message and it shows this. Doesn't not say whether its analysed or not. Is default analysed?

  "logstash-2018.05.31": {
    "mappings": {
      "fluentd": {
        "message": {
          "full_name": "message",
          "mapping": {
            "message": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            }
          }
        }
      }
    }
  },

klof · June 5, 2018, 11:43am

Yes, that's the reason why it's not working,
so in your query, you should use the "not analyzed" version of the message field, which is message.keyword, according to the mapping.

  "must_not": [
    {
    "wildcard": {
      "message.keyword": "JOIN*"
    }

sirbrian · June 5, 2018, 11:56am

Thats it. Thanks very much klof

klof · June 5, 2018, 2:48pm

@sirbrian you're welcome

system · July 3, 2018, 2:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.