Search code examples
elasticsearchelasticsearch-dsl

Elasticsearch term vs match

I have to write a search query on 2 condition.

  1. timestamp
  2. directory

When I am using match in search query like below

{
   "query":{
      "bool":{
         "must":{
            "match":{
               "directory":"/user/ayush/test/error/"
            }
         },
         "filter":{
            "range":{
               "@timestamp":{
                  "gte":"2020-08-25 01:00:00",
                  "lte":"2020-08-25 01:30:00",
                  "format":"yyyy-MM-dd HH:mm:ss"
               }
            }
         }
      }
   }
}

In the filter result I am getting records with directory

  1. /user/ayush/test/error/
  2. /user/hive/
  3. /user/

but when I am using term like below

{
   "query":{
      "bool":{
         "must":{
            "term":{
               "directory":"/user/ayush/test/error/"
            }
         },
         "filter":{
            "range":{
               "@timestamp":{
                  "gte":"2020-08-25 01:00:00",
                  "lte":"2020-08-25 01:30:00",
                  "format":"yyyy-MM-dd HH:mm:ss"
               }
            }
         }
      }
   }
}

I am not getting any results not even with directory value /user/ayush/test/error/

Solution

  • The match query analyzes the input string and constructs more basic queries from that.

    The term query matches exact terms.

    Refer these blogs to get detailed information :

    SO question on Term vs Match query

    https://discuss.elastic.co/t/term-query-vs-match-query/14455

    elasticsearch match vs term query

    The field value /user/ayush/test/error/ is analyzed as follows :

    POST/_analyze
{
  "analyzer" : "standard",
  "text" : "/user/ayush/test/error/"
}

    The tokens generated are:

    {
    "tokens": [
        {
            "token": "user",
            "start_offset": 1,
            "end_offset": 5,
            "type": "<ALPHANUM>",
            "position": 0
        },
        {
            "token": "ayush",
            "start_offset": 6,
            "end_offset": 11,
            "type": "<ALPHANUM>",
            "position": 1
        },
        {
            "token": "test",
            "start_offset": 12,
            "end_offset": 16,
            "type": "<ALPHANUM>",
            "position": 2
        },
        {
            "token": "error",
            "start_offset": 17,
            "end_offset": 22,
            "type": "<ALPHANUM>",
            "position": 3
        }
    ]
}

    Index data:

    { "directory":"/user/ayush/test/error/" }
{ "directory":"/user/ayush/" }
{ "directory":"/user" }

    Search Query using Term query:

    The term query does not apply any analyzers to the search term, so will only look for that exact term in the inverted index. So to search for the exact term, you need to use directory.keyword OR change the mapping of field.

    {
  "query": {
    "term": {
      "directory.keyword": {
        "value": "/user/ayush/test/error/",
        "boost": 1.0
      }
    }
  }
}

    Search Result for Term query:

    "hits": [
            {
                "_index": "my_index",
                "_type": "_doc",
                "_id": "1",
                "_score": 0.9808291,
                "_source": {
                    "directory": "/user/ayush/test/error/"
                }
            }
        ]