2

I'm trying to have multiple wildcard query match in my elasticsearch query in Kibana. I can't quite figure it out.

Basically I want any document with an attribute type="erreur"

and I want to exclude all documents that match the strings "An established*" or "java.lang.*" on the field descr_courte

{
  "query": {
    "bool": {
      "must": {
        "term": {
          "type": "erreur"
        }
  },
      "must_not": {
        "wildcard": {
          "descr_courte": ["An established*", "java.lang.*"]
        }
      }
    }
  }
}

if I put a single wildcard query it works fine

{
 "query": {
    "bool": {
      "must": {
        "term": {
          "type": "erreur"
        }
      },
      "must_not": {
        "wildcard": {
          "descr_courte": 
            "An established*"
        }
      }
    }
  }
}

the error I get:

Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"illegal_state_exception","reason":"Can't get text on a START_ARRAY at 1:454"}],"type":"search_phase_execution_exception","reason":"all shards Any idea?

Improve this question
3
  • 1
    so, what's not working? Commented Jan 30, 2017 at 19:39
  • Have you tried that query? Have you tested it on your application? Commented Jan 30, 2017 at 19:39
  • What version are you using? Commented Jan 30, 2017 at 19:58

2 Answers 2

Reset to default
4

Try putting them is separate clauses. 

{
  "query": {
    "bool": {
      "must": {
        "term": {
          "type": "erreur"
        },
        "must_not": [
          {
            "wildcard": {
              "descr_courte": "An established*"
            }
          },
          {
            "wildcard": {
              "descr_courte": "java.lang.*"
            }
          }
        ]
      }
    }
  }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

My guess is that you can't make an array for wildcard query like ["An established*", "java.lang.*"], so you need to:

{
 "query": {
    "{
      "must": {
        "term": {
          "type": "erreur"
        }
      },
      "must_not": {
        "regexp": {
          "descr_courte": "(An established|java\.lang\.).*"
        }
      }
    }
  }
}

More info about regexp query in https://www.elastic.co/guide/en/elasticsearch/reference/5.1/query-dsl-regexp-query.html

Another option is to combine your query terms with the logical operators NOT, AND and OR in the query string

{
 "query": {
    "query_string" : {
        "query" : "type:erreur AND NOT(descr_courte:An established* OR descr_courte:java.lang.*)"
    }
  }
}

See more info at https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#_wildcards

Improve this answer

6 Comments

I get a "Duplicate Key" warning then when I save the filter, Kibana just discard the first "wildcard" clause
@Dom I've just updated the answer to a bool query, have you tried thsi way?
@Dom you can still use a simple query with a more complex regex for the query string
Thanks it works. Not optimal because I need to enter like 20 strings to exclude in my REGEX but at least it works.
Thanks gain 2nd solution is much better in term of maintenance and readability
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.