Search code examples
searchindexingmappingelasticsearchmac-address

Elasticsearch mac address search/mapping

I can't get the mac address search to return proper results when I'm doing partial searches (half octect). I mean, if I look for the exact mac address I get results but if try to search for partial search like "00:19:9" I don't get anything until I complete the octet.

Can anyone point out which mapping should I use to index it or kind of search query should I use?? 

curl -XDELETE http://localhost:9200/ap-test
curl -XPUT http://localhost:9200/ap-test

curl -XPUT http://localhost:9200/ap-test/devices/1 -d '
{
  "user" : "James Earl",
  "macaddr" : "00:19:92:00:71:80"
}'

curl -XPUT http://localhost:9200/ap-test/devices/2 -d '
{
  "user" : "Earl",
  "macaddr" : "00:19:92:00:71:82"
}'

curl -XPUT http://localhost:9200/ap-test/devices/3 -d '
{
  "user" : "James Edward",
  "macaddr" : "11:19:92:00:71:80"
}'

curl -XPOST 'http://localhost:9200/ap-test/_refresh'
curl -XGET http://localhost:9200/ap-test/devices/_mapping?pretty

When I to find exact matches I get them correctly....

curl -XPOST http://localhost:9200/ap-test/devices/_search -d '
{
    "query" : {
        "query_string" : {
            "query":"\"00\\:19\\:92\\:00\\:71\\:80\""
        }
    }
}'

# RETURNS:

{
  "took": 6,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "failed": 0
  },
  "hits": {
    "total": 1,
    "max_score": 0.57534903,
    "hits": [
      {
        "_index": "ap-test",
        "_type": "devices",
        "_id": "1",
        "_score": 0.57534903,
        "_source": {
          "user": "James Earl",
          "macaddr": "00:19:92:00:71:80"
        }
      }
    ]
  }
}

HOWEVER, I need to be able to match partial mac addresses searches like this:

curl -XPOST http://localhost:9200/ap-test/devices/_search -d '
{
    "query" : {
        "query_string" : {
            "query":"\"00\\:19\\:9\""
        }
    }
}'

# RETURNS 0 instead of returning 2 of them 

{
  "took": 1,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "failed": 0
  },
  "hits": {
    "total": 0,
    "max_score": null,
    "hits": []
  }
}

SO, What mapping should I use? Is there a better query string to accomplish this? BTW, what's the difference between using 'query_string' and 'text'?

Solution

  • After some research I found and easier way to make it work.

    Elasticsearch query options are confusing sometimes because they have so many options...

    • query_string: has a full-fledged search with a myriad of options and wildcard uses.
    • match: is simpler and doesn't require wildcard characters, or other “advance” features. This one it's great to use it in search boxes because chances of it failing are very small if not non-existent.

    So, that said. This is the one that work the best in most cases and didn't required customized mapping.

    curl -XPOST http://localhost:9200/ap-test/devices/_search -d '
{
    "query" : {
        "match_phrase_prefix" : {
            "_all" : "00:19:92:00:71:8"
        }
    }
}'