0

I've been facing some issues with multi field elasticsearch query. I am trying to query all the documents which matches the field called func_name to two hard coded strings, even though my index has documents with both these function names, but the query result is always fetching only one func_name. So far I have tried following queries.

1) Following returns only one function match, even though the documents have another function as well

GET /_search
{
  "query": {
    "multi_match": {
      "query": "FEM_DS_GetTunerStatusInfo MDM_TunerStatusPrint",
      "operator": "OR",
      "fields": [
        "func_name"
      ]
    }
  }
}

2) following intermittently gives me both the functions.

GET /_search
{
    "query": {
        "match": {
            "func_name": {      
                "query":    "MDM_TunerStatusPrint FEM_DS_GetTunerStatusInfo",
                "operator": "or"
            }
        }
    }
}

3) Following returns only one function match, even though the documents have another function as well

{
  "query": {
    "bool": {
      "should": [
                  { "match": { "func_name": "FEM_DS_GetTunerStatusInfo" }},
                  { "match": { "func_name": "MDM_TunerStatusPrint"   }}
      ]
    }
  }
}

Any help is much appreciated.

Thanks for your reply. Lets assume that I have following kind of documents in my elasticsearch. I want my search to return first two documents out of all as they matches my func_name.

{
    "_index": "diag-178999",
    "_source": {
      "severity": "MIL",
      "t_id": "03468500",
      "p_id": "000007c6",
      "func_name": "MDM_TunerStatusPrint",
      "timestamp": "2017-06-01T02:04:51.000Z"
    }
  },
  {
    "_index": "diag-344563",
    "_source": {
      "t_id": "03468500",
      "p_id": "000007c6",
      "func_name": "FEM_DS_GetTunerStatusInfo",
      "timestamp": "2017-07-20T02:04:51.000Z"
    }
  },
  {
    "_index": "diag-101010",
    "_source": {
      "severity": "MIL",
      "t_id": "03468500",
      "p_id": "000007c6",
      "func_name": "some_func",
      "timestamp": "2017-09-15T02:04:51.000Z"
    }
NinjaSolid
  • 21
  • 4
  • Could you please add some more details like a sample document and the elasticsearch mapping you are using? The multi_match query is used for querying more than one field, so probably it's not what you want to achieve as you are only targeting a single field named `func_name`... – Andreas Jägle Sep 24 '17 at 13:43
  • edited my question to add details. – NinjaSolid Sep 25 '17 at 08:46
  • I had also raised a question about logstash filter to extract irregular data, please see if you can help. https://stackoverflow.com/questions/45561127/extracting-data-from-multiple-events-from-elasticsearch-using-single-logstash-fi – NinjaSolid Sep 25 '17 at 08:49

2 Answers2

1

The "two best ways" to request your ES is to filter by terms on a particular field or to aggregate your queries so that you can rename the field, apply multiple rules, and give a more understandable format to your response

See : https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html and the other doc page is here, very useful : https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations.html

In your case, you should do :

    {
      "from" : 0, "size" : 2,
      "query": {
          "filter": {
            "bool": {
              "must": {
                "term": {
                  "func_name" : "FEM_DS_GetTunerStatusInfo OR MDM_TunerStatusPrint",
                }
              }
            }
          }
    }
}

OR 
     "aggs": {
               "aggregationName": {
                     "terms": {
           "func_name" : "FEM_DS_GetTunerStatusInfo OR MDM_TunerStatusPrint"
         }
              }
            }
        }

The aggregation at the end is just here to show you how to do the same thing as your query filter. Let me know if it's working :)

Best regards

andrea06590
  • 1,259
  • 3
  • 10
  • 22
  • Sorry its not working, "reason": "no [query] registered for [filter]", – NinjaSolid Oct 23 '17 at 16:49
  • any comment for this question? https://stackoverflow.com/questions/45561127/extracting-data-from-multiple-events-from-elasticsearch-using-single-logstash-fi – NinjaSolid Oct 23 '17 at 17:48
  • Sorry I did not read the elastic 5.0 doc, I guess you are using it ? The syntax changed, try to remove the filter object and this topic should fix your query : https://stackoverflow.com/questions/40519806/no-query-registered-for-filtered For your logstash question, use grok filter and regex is the best way too : https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html – andrea06590 Oct 24 '17 at 09:29
0

As I understand, you should use filtered query to match any document with one of the values of func_name mentioned above:

{
  "query": {
    "filtered": {
      "filter": {
        "bool": {
          "must": [
            {
              "terms": {
                "func_name": [
                  "FEM_DS_GetTunerStatusInfo",
                  "MDM_TunerStatusPrint"
                ]
              }
            }
          ]
        }
      }
    }
  }
}

See: Filtered Query, Temrs Query

UPDATE in ES 5.0:

{
  "query": {
    "bool": {
      "must": [
        {
          "terms": {
            "func_name": [
              "FEM_DS_GetTunerStatusInfo",
              "MDM_TunerStatusPrint"
            ]
          }
        }
      ]
    }
  }
}

See: this answer

Eli
  • 4,576
  • 1
  • 27
  • 39
  • I am seeing error when used filtered query, "error": { "root_cause": [ { "type": "parsing_exception", "reason": "no [query] registered for [filtered]", "line": 3, "col": 17 } } – NinjaSolid Sep 25 '17 at 08:42
  • Thats not fetching any data, however I've worked out the query... following works well.. GET /_search { "query": { "match": { "func_name": { "query": "AEM_InputMonitorThread FEM_PLUGIN_Cable_DeviceEvent common_signal_handler", "operator": "or" } } } } – NinjaSolid Oct 23 '17 at 17:29
  • @NinjaSolid if so, please add it as an answer :) – Eli Oct 24 '17 at 13:14