Elasticsearch term vs match

Question

I have to write a search query on 2 condition.

timestamp
directory

When I am using match in search query like below

{
   "query":{
      "bool":{
         "must":{
            "match":{
               "directory":"/user/ayush/test/error/"
            }
         },
         "filter":{
            "range":{
               "@timestamp":{
                  "gte":"2020-08-25 01:00:00",
                  "lte":"2020-08-25 01:30:00",
                  "format":"yyyy-MM-dd HH:mm:ss"
               }
            }
         }
      }
   }
}

In the filter result I am getting records with directory

/user/ayush/test/error/
/user/hive/
/user/

but when I am using term like below

{
   "query":{
      "bool":{
         "must":{
            "term":{
               "directory":"/user/ayush/test/error/"
            }
         },
         "filter":{
            "range":{
               "@timestamp":{
                  "gte":"2020-08-25 01:00:00",
                  "lte":"2020-08-25 01:30:00",
                  "format":"yyyy-MM-dd HH:mm:ss"
               }
            }
         }
      }
   }
}

I am not getting any results not even with directory value /user/ayush/test/error/

ESCoder · Accepted Answer · 2020-09-01T15:59:32.647

The match query analyzes the input string and constructs more basic queries from that.

The term query matches exact terms.

Refer these blogs to get detailed information :

SO question on Term vs Match query

https://discuss.elastic.co/t/term-query-vs-match-query/14455

elasticsearch match vs term query

The field value /user/ayush/test/error/ is analyzed as follows :

POST/_analyze
{
  "analyzer" : "standard",
  "text" : "/user/ayush/test/error/"
}

The tokens generated are:

{
    "tokens": [
        {
            "token": "user",
            "start_offset": 1,
            "end_offset": 5,
            "type": "<ALPHANUM>",
            "position": 0
        },
        {
            "token": "ayush",
            "start_offset": 6,
            "end_offset": 11,
            "type": "<ALPHANUM>",
            "position": 1
        },
        {
            "token": "test",
            "start_offset": 12,
            "end_offset": 16,
            "type": "<ALPHANUM>",
            "position": 2
        },
        {
            "token": "error",
            "start_offset": 17,
            "end_offset": 22,
            "type": "<ALPHANUM>",
            "position": 3
        }
    ]
}

Index data:

{ "directory":"/user/ayush/test/error/" }
{ "directory":"/user/ayush/" }
{ "directory":"/user" }

Search Query using Term query:

The term query does not apply any analyzers to the search term, so will only look for that exact term in the inverted index. So to search for the exact term, you need to use directory.keyword OR change the mapping of field.

{
  "query": {
    "term": {
      "directory.keyword": {
        "value": "/user/ayush/test/error/",
        "boost": 1.0
      }
    }
  }
}

Search Result for Term query:

"hits": [
            {
                "_index": "my_index",
                "_type": "_doc",
                "_id": "1",
                "_score": 0.9808291,
                "_source": {
                    "directory": "/user/ayush/test/error/"
                }
            }
        ]

but why term query unable to find directory /user/ayush/test/error/ even when it is present exact? do i need to some special character for /? — Ayush Goyal, Sep 01 '20 at 15:51
@AyushGoyal If you want to get result for your term query, u need to `directory.keyword` if it is there in your mapping(if you are considering dynamic mapping), otherwise create a `keyword` field to store the field value — ESCoder, Sep 01 '20 at 15:53
@AyushGoyal yes, with `.keyword` you will get the search result with term queries also . — ESCoder, Sep 01 '20 at 16:00
@AyushGoyal It would be great if you can accept and upvote my answer :) — ESCoder, Sep 01 '20 at 16:01

Elasticsearch term vs match

1 Answers1