0

I'm using query_string to search a word on documents on indexes. Now, I wanna continue searching on all fields except a considered field! what can I do? what feature should I use to handle the query?

The query that search on on fields:

GET siem-referencedata-list-*/_search
{
  "query": 
  {
    "bool":
    {
      "must":
      [
        {
          "bool": 
          {
            "should": 
            [
              {
                "query_string": 
                {
                  "query": "*list*"
                  
                }
              }
              ]
          }
        }
        ]
    }
  }
}

How can ignore searching on a special field (for example id)

Note: because my fields are dynamic, I cant search on specific fields. I have three stable fields that don not want search on them.

Improve this question

1 Answer 1

Reset to default
1

There is no option in a query_string type query to exclude field while searching. But you can restrict the search on specific fields by giving lists of fields on which search should execute.

{
  "query": {
    "query_string": {
      "query": "(new york city) OR (big apple)",
      "fields": ["field1","field2","field3"]
    }
  }
}

You can provide regex pattern as well in fields like below:

{
  "query": {
    "query_string" : {
      "fields" : ["city.*"],
      "query" : "this AND that OR thus"
    }
  }
}

If you want to stop providing search functionality on specific field then you can set index to false in mapping and elasticsearch will not index specific field and it will just store it. you will be able to retrive field in response:

PUT my-index-000001
{
  "mappings": {
    "properties": {
      "user_id": {
        "type":  "keyword"
      },
      "last_updated": {
        "type": "date"
      },
      "session_data": { 
        "type": "text",
        "index": false
      }
    }
  }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I have errors when using enabled: Failed to parse mapping [_doc]: unknown parameter [enabled] on mapper [desc] of type [text] unknown parameter [enabled] on mapper [desc] of type [text] I tested index instead of enabled and it was worked. what is difference between index and enabled? I'm using version 7.12.0
Sorry may bad !! enabled can only apply to the object type of field and index is applied to core type of field like text etc. You can use index param. I will update my answer !!

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.