What's wrong with my query?

I'm trying to search through documents using an equivalent of logical OR in elasticsearch.
From the docs I understand I should use should, however when I run it I get all documents, none of them meeting my requirements in OR.

"query": {
        "bool": {
            "should": [
                {"match": {"eventName": "AuthorizeSecurityGroupIngress"}},
                {"match": {"eventName": "AuthorizeSecurityGroupEgress"}},
                {"match": {"eventName": "RevokeSecurityGroupIngress"}},
                {"match": {"eventName": "RevokeSecurityGroupEgress"}}
            ],
            "filter": {
                "range": {
                    "eventTime": {
                        "gte":"now-5h",
                        "lt":"now"
                    }
                }
            }
        }
    }

With this I get eventNames that are not in the query above. What is wrong with it?

Hi there,

There's more nuance to the should clause than meets the eye; it's not always the equivalent of a logical OR.

In your query, because of the way the should clause works, none of the documents matching the filter actually have to match any of the should clauses. All the should clause will do is increase the score of the matched documents.

To make sure you only get documents matching at least one of the clauses in the should block, add a minimum_should_match clause with a value of 1.

Weirdly, the v7 docs don't describe this behaviour but it is mentioned in the v6.7 docs (unless the behaviour has changed between releases, which I don't think is the case). Look at the description of should on this page: https://www.elastic.co/guide/en/elasticsearch/reference/6.7/query-dsl-bool-query.html

Hope this helps.

Hi George,

Thank you for showing me this. It makes more sense now and I got it to work.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.