elasticsearchlucenekibana
Kibana: same fields in one query concatenated "and not" operator. "AND" and "AND NOT" precedence
I have to search document where text field "Body" include "Balance for subscriber with SAN" and exclude "was not found after invoking reip-adapter". I create KQL request in Kibana:
Body : "Balance for subscriber with SAN" and not Body : "was not found after invoking reip-adapter"
But have result including two condition such: "Balance for subscriber with SAN" and "was not found after invoking reip-adapter". Why in my result present AND "Balance for subscriber with SAN" AND "was not found after invoking reip-adapter"?
Inspect KQL Request:
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"filter": [
{
"bool": {
"should": [
{
"match_phrase": {
"Body": "Balance for subscriber with SAN"
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"must_not": {
"bool": {
"should": [
{
"match_phrase": {
"Body": "was not found after invoking reip-adapter"
}
}
],
"minimum_should_match": 1
}
}
}
}
]
}
},
{
"range": {
"Timestamp": {
"format": "strict_date_optional_time",
"gte": "2020-08-29T08:24:55.067Z",
"lte": "2020-08-29T10:24:55.067Z"
}
}
}
],
"should": [],
"must_not": []
}
}
"and not" condition don`t working, Response:
-----omitted--------
"_source": {
"prospector": {},
"Severity": "INFO",
"uuid": "e71b207a-42a6-4b2c-98d1-b1094c578776",
"Body": "Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter.",
"tags": [
"iptv",
"beats_input_codec_plain_applied"
],
"source": "/applogs/Iptv/app.log",
"host": {
"name": "e38"
},
"offset": 23097554,
"pid": "2473",
"Configuration": "IptvFacadeBean",
"Timestamp": "2020-08-29T10:24:50.040Z",
"@timestamp": "2020-08-29T10:24:50.446Z",
"input": {}
}
-----omitted--------
Solution
The index data you are indexing for Body field is :
"Body": "Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter."
There is no gap between the number and was ( 0400043102was), so the tokens generated are:
POST/_analyze
{
"analyzer" : "standard",
"text" : "Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter."
}
The tokens are :
{
"tokens": [
{
"token": "balance",
"start_offset": 0,
"end_offset": 7,
"type": "<ALPHANUM>",
"position": 0
},
{
"token": "for",
"start_offset": 8,
"end_offset": 11,
"type": "<ALPHANUM>",
"position": 1
},
{
"token": "subscriber",
"start_offset": 12,
"end_offset": 22,
"type": "<ALPHANUM>",
"position": 2
},
{
"token": "with",
"start_offset": 23,
"end_offset": 27,
"type": "<ALPHANUM>",
"position": 3
},
{
"token": "san",
"start_offset": 28,
"end_offset": 31,
"type": "<ALPHANUM>",
"position": 4
},
{
"token": "0400043102was", <-- note this
"start_offset": 32,
"end_offset": 45,
"type": "<ALPHANUM>",
"position": 5
},
{
"token": "not",
"start_offset": 46,
"end_offset": 49,
"type": "<ALPHANUM>",
"position": 6
},
{
"token": "found",
"start_offset": 50,
"end_offset": 55,
"type": "<ALPHANUM>",
"position": 7
},
{
"token": "after",
"start_offset": 56,
"end_offset": 61,
"type": "<ALPHANUM>",
"position": 8
},
{
"token": "invoking",
"start_offset": 62,
"end_offset": 70,
"type": "<ALPHANUM>",
"position": 9
},
{
"token": "reip",
"start_offset": 71,
"end_offset": 75,
"type": "<ALPHANUM>",
"position": 10
},
{
"token": "adapter",
"start_offset": 76,
"end_offset": 83,
"type": "<ALPHANUM>",
"position": 11
}
]
}
Therefore, when you are trying to do match_phrase like this :
"should": [
{
"match_phrase": {
"Body": "was not found after invoking reip-adapter"
}
}
]
No token was is generated, therefore, the document matches and must_not condition is not working.
Index Data:
{ "Body":"Balance for subscriber with SAN=0400043102" }
{ "Body":"Balance for subscriber with SAN=0400043102was not found after invoking reip-adapter." }
Search Query
{
"query": {
"bool": {
"must": {
"match_phrase": {
"Body": "Balance for subscriber with SAN"
}
},
"must_not": {
"match_phrase": {
"Body": "not found after invoking reip-adapter"
}
}
}
}
}
Search Result:
"hits": [
{
"_index": "my_index",
"_type": "_doc",
"_id": "2",
"_score": 1.055546,
"_source": {
"Body": "Balance for subscriber with SAN=0400043102"
}
}
]
- How to view the different values in a geopoint to a Data table in Kibana Elasticsearch Maps
- Not able to start elastic search service
- Can I filter an array in elastic?
- Pyspark Streaming data to Elastic search index from Kafka topic , running in Jupyter notebook, causing failure
- How to move shards around in a cluster
- OData services with Elastic search
- How to query elasticsearch from spring with LocalDate
- Elasticsearch query to get values of multiple attributes
- I want to sort my elastic search aggregation data with most recent login for each user by there name
- bucket_script inside filter aggregation throws error
- Elasticsearch delete_by_query version conflict
- Case insensitive exact match in ElasticSearch
- How do I enable remote access/request in Elasticsearch 2.0?
- Fluent-bit - Splitting json log into structured fields in Elasticsearch
- Elasticsearch Devtools Queries (Regexp/Wildcard) - Not Working
- Elastic Search Analyzer at search time not working
- Elasticsearch 7.2.0: master not discovered or elected yet, an election requires at least X nodes
- Create TermsQuery with List<String> using elasticsearch java api client
- Elasticsearch: Use loop in Painless script
- How can I check nulls in Logstash pipeline in filter plugin?
- How to input a JSON file (array form) in Logstash?
- OpenTelemetry Export to Elastic Search without Elastic APM
- Can't connect to Elasticsearch with Node.Js on Kubernetes (self signed certificate in certificate chain)
- trying to pass params to elasticsearch getting null_pointer_exception
- 'Compressor detection can only be called on some xcontent bytes or compressed xcontent bytes" error when indexing a list of dictionaries
- Regexp filter in Opensearch (or Elasticsearch)
- Shards and replicas in Elasticsearch
- Search document with empty array field, on ElasticSearch
- how to rename an index in a cluster?
- Merge two indices value by a common field in elasticsearch