Hello,
I'm writing an application to search for logs in the elastic of my organization and the user can search for nested queries of this form:
pathName:{ field1: "value1" AND field2: "value2" OR field3: "value3" }
I would like the user to be able to request that certain fields not be matched.
I can do this if I want the whole nested request to be unmatched, it gives:
query:
NOT pathName:{ field1: "value1" }
And from this string I can generate the following query which works fine:
(The must_not[] clause is then placed before the nested clause because it is the whole nested clause that we do not want to match)
"query": {
"bool": {
"filter": [
{
"bool": {
"must_not": [
{"nested": {
"path": 'pathName',
"query": {
{"bool": {
"should": [
{
"match": {
"pathName.field1": "value1"
}
}
],
"minimum_should_match": 1
}}
}
}}
]
}
}
{"range":
{
"@timestamp": {
"format": 'strict_date_optional_time',
"gte": "Sat Jul 09 2022 02:00:00 GMT+0200 (heure d’été d’Europe centrale)",
"lte": "Mon Aug 08 2022 02:00:00 GMT+0200 (heure d’été d’Europe centrale)"
}
}
}
]
}
}
The above query works well and returns the expected result.
I would now like my user to be able to request within a nested query to match some fields and not match other fields like this: pathName:{ NOT field1: "value1" AND field2: "value2" OR NOT field3: "value3" }.
For example for the following query:
pathName:{ NOT field1: "value1" } (In use there will obviously be more than one element in the nested query but to simplify I have only put one element in the nested query)
I want to get all objects that does not match pathName.field1:value1
From the previous string I can get the following request:
(The must_not[] clause is then placed inside the nested clause because it is only part of the elements of the nested clause that we do not want to match)
"query": {
"bool": {
"filter": [
{"nested": {
"path": 'pathName',
"query": {
{"bool": {
"must_not": [
{
"bool": {
"should": [
{
"match": {
"pathName.field1": "value1"
}
}
],
"minimum_should_match": 1
}
}
]
}}
}
}},
{"range":
{
"@timestamp": {
"format": 'strict_date_optional_time',
"gte": "Sat Jul 09 2022 02:00:00 GMT+0200 (heure d’été d’Europe centrale)",
"lte": "Mon Aug 08 2022 02:00:00 GMT+0200 (heure d’été d’Europe centrale)"
}
}
}
]
}
}
But this query returns the results without taking into account the must_not[] queries contained in the nested query.
Is it not possible to specify a must_not[] clause inside a nested query or am I generating the query sent to elastic wrong?
Thanks in advance if you take the time to help me.