Clever Geek Handbook

ElasticSearch query using match or term?

I am using a match query to search the field "syslog_5424" 

{
  "query":{
    "filtered":{

      "query":{"match":{"syslog5424_app":"e1c28ca3-dc7e-4425-ba14-7778f126bdd6"}}
    }
  }
}

Here is the query result:

{
took: 23,
timed_out: false,
-_shards: {
total: 45,
successful: 29,
failed: 0
},
-hits: {
total: 8340,
max_score: 17.623652,
-hits: [
-{
_index: "logstash-2014.12.16",
_type: "applog",
_id: "AUpTBuwKsotKslj7c27d",
_score: 17.623652,
-_source: {
message: "132 <14>1 2014-12-16T12:16:09.889089+00:00 loggregator e1c28ca3-dc7e-4425-ba14-7778f126bdd6 [App/0] - - Get the platform MBean server",
@version: "1",
@timestamp: "2014-12-16T12:16:10.127Z",
host: "9.91.32.178:33128",
type: "applog",
syslog5424_pri: "14",
syslog5424_ver: "1",
syslog5424_ts: "2014-12-16T12:16:09.889089+00:00",
syslog5424_host: "loggregator",
syslog5424_app: "e1c28ca3-dc7e-4425-ba14-7778f126bdd6",
syslog5424_proc: "[App/0]",
syslog5424_msg: "Get the platform MBean server",
syslog_severity_code: 5,
syslog_facility_code: 1,
syslog_facility: "user-level",
syslog_severity: "notice",
@source_host: "%{syslog_hostname}",
@message: "%{syslog_message}"
}
},

...

But when I change "match" to "term" I got nothing. the content of the syslog5424_app field is exactly "e1c28ca3-dc7e-4425-ba14-7778f126bdd6", but I can't find it using "term". Any advice would be great.

    {
      "query":{
        "filtered":{

          "query":{"term":{"syslog5424_app":"e1c28ca3-dc7e-4425-ba14-7778f126bdd6"}}
        }
      }
    }
+3


source to share


1 answer


What analyzer are you using in the syslog_5424 field ?

if it is standard analyser

, then the data is probably broken down into search terms. eg

e1c28ca3-dc7e-4425-ba14-7778f126bdd6

breaks down into:



e1c28ca3
dc7e
4425
ba14
7778f126bdd6

When you use a match query , your search string will also be split - so a match will be made.

However, when you use term query , the search string will not be parsed. those. you are looking e1c28ca3-dc7e-4425-ba14-7778f126bdd6

in 5 separate terms - it doesn't match .

So - my recommendation would be to update your mapping for use not_analyzed

- you usually don't need the UUID part, so disable all parsing for that field.

+4


source






More articles:


All Articles