A simplified Elasticsearch index of 'articles' has documents with fields domain_name and tag, plus some other content.
tag is limited to a handful of keyword values, such as source1, source2, where tag can only have a single value in each document. domain_name is a single value in each document
I would like to return a set of documents where tag=source1 that do not include the domain_name from another query where tag=source2
In two steps this would be something like:
set to exclude
{
"query": {
"term" : { "tag" : "source2" }
}
}
Results would be processed to produce an array of domain_name values, one from each returned document.
The second query would then get all items it cares about, then exclude the terms it doesn't (the list of domain names from the previous query).
query minus set to exclude
{
"query": {
"bool": {
"must": {
"term" : { "tag" : "source1" }
},
"must_not": {
"terms": {
"tag": [<array of domain_name values>]
}
}
}
}
}
Is this possible in a single query, or using aggregates? The indexes and result sets would not be massive, so I'm less worried about performance than convenience.
Bonus question, could this be defined in Kibana directly?
for my case i used programming language(Java) to execute first query and get the result array of document by first query then i stored the ids of query result in array and used this array which contain ids of first query to execute second query elastic not support nested query