Using /events-v0-2016-08-29/systemlog/_validate/query?explain I see
"explanations": [
{
"index": "events-v0-2016-08-29",
"valid": true,
"explanation": "filtered(+(field1:*abc* | field3:*abc*) +(field1:*def* | field3:*def*))->cache(_type:systemlog)"
}
I am trying to parse the significance of the | but I could not find it documented anywhere. Does anyone know what that is?
| represents a logical OR (field1 matches abc OR field3 matches abc, in your example)
Thank you @abeyad . I tried to 'mimic' this with a boolean query:
{
"query": {
"bool": {
"must": [
{
"bool": {
"should": [
{
"wildcard": {
"field1": "abc"
}
},
{
"wildcard": {
"field3": "abc"
}
}
]
}
},
{
"bool": {
"should": [
{
"wildcard": {
"field1": "def"
}
},
{
"wildcard": {
"field3": "def"
}
}
]
}
}
]
}
}
}
But in this case I see:
"explanations": [
{
"index": "events-v0-2016-08-29",
"valid": true,
"explanation": "filtered(+(field1:abc field3:abc) +(field1:def field3:def))->cache(_type:systemlog)"
}
Specifically the '|' is missing. The queries should still be the same, is that right?
Correct, the | pipe syntax is generally used for the simple query string, so its probably from that, whereas your query above is combining queries so its showing them without the |. But it means the same. See here: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#_multi_field
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.