0

Currently I trying to restrict results of Elasticsearch (5.4) with the following query: 

{
  "query": {
    "bool": {
      "must": {
        "multi_match": {
          "query": "apache log Linux",
          "type": "most_fields",
          "fields": [
            "message",
            "type"
          ]
        }
      },
      "filter": {
        "term": {
          "client": "test"
        }
      }
    }
  }
}

This returns every document that contains "apache", "log", or "linux". I want to restrict the results to documents that have a field "client" with the exact specified value, this case: "test". However, this query returns all the documents that contain "test" as value. A document with "client": "test client" will also be returned. I want to restriction to be exact, so only the documents with "client": "test" should be returned and not "client": "test client".

After testing a bunch of different queries and lots of searching, I can not find a solution to my problem. What am I missing?

Yokovaski
  • 178
  • 11

2 Answers2

1

Set a mapping on your index specifying that your client field is a keyword datatype.

The mapping request could look like 

PUT my_index
{
  "mappings": {
    "my_type": {
      "properties": {
        "client": {
          "type":  "keyword"
        }
      }
    }
  }
}
nikoshr
  • 32,926
  • 33
  • 91
  • 105
  • Thanks for pointing out that the `keyword` datatype solves my problem. I use logstash to write data to Elasticsearch and are therefore not able to change the mapping of a field. However the keyword mapping is already present in the .raw by default. – Yokovaski May 15 '17 at 10:14
1

Just use the keyword part of your client field, since this is 5.x and, by default, the keyword is already there:

  "filter": {
    "term": {
      "client.keyword": "test"
    }
  }
Andrei Stefan
  • 51,654
  • 6
  • 98
  • 89
  • The field `client.keyword` does not returns results. I checked the mapping of my index and found that the `client.raw` is typed as `keyword`. So it is true that 5.x maps keyword as default. Using `client.raw` therefore solves my problem. Thanks! – Yokovaski May 15 '17 at 10:08