0

I am trying to write an elastic search query for searching the data with two.conditions something as below

{
  "query": {
    "match": {
      "trackingId": "track4324234234244",
      "log_message": "downstream request-response"
    }
  }
}

The above query wont work because [match] query doesn't support multiple fields. Is there a way I can achieve this.

Sourabh Roy
  • 85
  • 7
  • its been a long time, did you get a chance to go through my answer, looking forward to get feedback from you and if it's helpful, please don't forget to upvote and accept :) – ESCoder Sep 25 '20 at 06:47

2 Answers2

1

You can use Bool query, where a must clause can be used.

must means: The clause (query) must appear in matching documents. These clauses must match, like logical AND.

To know about the difference between must and should refer to this SO answer

Adding Working example with sample docs and search query

Index Sample Data:

{
    "trackingId":"track4324234234244",
    "log_message":"downstream request-response"
}
{
    "trackingId":"track4324234234244",
    "log_message":"downstream"
}
{
    "trackingId":"tracks4324234234244",
    "log_message":"downstream request-response"
}

Search query:

    {
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "trackingId": "track4324234234244"
          }
        },
        {
          "match": {
            "log_message": {
              "query": "downstream request-response",
              "operator": "and"
            }
          }
        }
      ]
    }
  }
}

Search Result:

"hits": [
        {
            "_index": "my_index",
            "_type": "_doc",
            "_id": "1",
            "_score": 1.8570712,
            "_source": {
                "trackingId": "track4324234234244",
                "log_message": "downstream request-response"
            }
        }
    ]
ESCoder
  • 10,330
  • 2
  • 8
  • 23
0

Apart from Bool, you can also make use of simple query string as mentioned below:

POST <your_index_name>/_search
{
  "query": {
    "simple_query_string": {
      "fields": ["trackingId", "log_message"],
      "query": "track4324234234244 downstream request-response",
      "default_operator": "AND"
    }
  }
}

Note how I've just added all the terms and made use of default_operator: AND so that it returns only documents having all the terms present in the fields.

There is also query_string however I would recommend using the above one as query_string works in strict fashion meaning, it would throw errors if the query string has any syntax errors while simple_query_string does not.

POST <your_index_name>/_search
{
  "query": {
    "query_string": {
      "fields": ["trackingId", "log_message"],
      "query": "(track4324234234244) AND (downstream request-response)",
      "default_operator": "AND"
    }
  }
}

So as to when to use simple_query_string, mostly only if you would want to expose the query string or terms to end user, at that point which this would be useful.

Hope that helps!

Opster ES Ninja - Kamal
  • 7,226
  • 2
  • 16
  • 26