2
votes

Search with upper case characters not returning results in the elastic search prefix query. I have not defined any analyzer in the mapping and assume elastic search will use the default mapping for both indexing and search .

{
  "access-event-logs_2016-02-08t00:00:00-08:00": {
    "mappings": {
      "session-summary": {
        "dynamic_templates": [
          {
            "long_1": {
              "mapping": {
                "type": "long"
              },
              "match": "generation"
            }
          },
          {
            "datetime_1": {
              "mapping": {
                "format": "strict_date_optional_time||epoch_millis",
                "type": "date"
              },
              "match": "*DateTime"
            }
          },
          {
            "string_1": {
              "mapping": {
                "index": "not_analyzed",
                "type": "string"
              },
              "match": "*"
            }
          }
        ],
        "properties": {
          "Access_Policy_Result": {
            "type": "string",
            "index": "not_analyzed"
          },
          "Bytes_In": {
            "type": "string",
            "index": "not_analyzed"
          },
          "Bytes_Out": {
            "type": "string",
            "index": "not_analyzed"
          },
          "Client_IP": {
            "type": "string",
            "index": "not_analyzed"
          },
          "Client_Platform": {
            "type": "string",
            "index": "not_analyzed"
          },
          "Continent": {
            "type": "string",
            "index": "not_analyzed"
          },
          "Country": {
            "type": "string",
            "index": "not_analyzed"
          },
          "Partition": {
            "type": "string",
            "index": "not_analyzed"
          },
          "Reputation": {
            "type": "string",
            "index": "not_analyzed"
          },
          "State": {
            "type": "string",
            "index": "not_analyzed"
          },
          "User_Name": {
            "type": "string",
            "index": "not_analyzed"
          },
          "Virtual_IP": {
            "type": "string",
            "index": "not_analyzed"
          },
          "accessProfile": {
            "type": "string",
            "index": "not_analyzed"
          },
          "active": {
            "type": "string",
            "index": "not_analyzed"
          },
          "badIpReputation": {
            "type": "string",
            "index": "not_analyzed"
          },
          "clusterName": {
            "type": "string",
            "index": "not_analyzed"
          },
          "duration": {
            "type": "string",
            "index": "not_analyzed"
          },
          "eventConversionDateTime": {
            "type": "date",
            "format": "strict_date_optional_time||epoch_millis"
          },
          "generation": {
            "type": "long"
          },
          "hostname": {
            "type": "string",
            "index": "not_analyzed"
          },
          "lastUpdateMicros": {
            "type": "string",
            "index": "not_analyzed"
          },
          "sessionDuration": {
            "type": "string",
            "index": "not_analyzed"
          },
          "sessionKey": {
            "type": "string",
            "index": "not_analyzed",
            "include_in_all": false
          },
          "sessionTerminationDateTime": {
            "type": "date",
            "format": "strict_date_optional_time||epoch_millis"
          },
          "session_id": {
            "type": "string",
            "index": "not_analyzed"
          },
          "unique_id": {
            "type": "string",
            "index": "not_analyzed",
            "include_in_all": false
          },
          "virtualServer": {
            "type": "string",
            "index": "not_analyzed"
          }
        }
      }
    }
  }
}

This query returns results , but if I search with Common instead of (common), no results are returned. Do I need to specify any analyzer to perform case insensitive search

{
      "query":{  
         "filtered":{  
            "filter":{  
               "bool":{  
                  "must":[  
                     {  
                        "range":{  
                           "eventConversionDateTime":{  
                              "gte":"2015-10-30T02:50:39.237Z",
                              "lte":"2015-12-31T02:50:38.237Z"
                           }
                        }
                     }
                       {  
                        "prefix":{  
                               "_all":"common"

                        }
                     }
                  ]
               }
            }
         }
      }
3

3 Answers

2
votes

Look at your document, iirc ES will lower case everything as it indexes a document. Also use match queries at it will take care of the hoops needed to match.

0
votes

Referring the ES doc, it clearly says: "Matches documents that have fields containing terms with a specified prefix (not analyzed). The prefix query maps to Lucene PrefixQuery."

Prefix query is non analyzed search query.

0
votes

The best approach to solve your problem. Index all your document in lowercase and also pass the search text in lowercase. As in elastic search, search texts are case sensitive. If you do not want to do above step, You can set the custom analyzer for your index, which will generate all the terms in lowercase. Please refer the following document https://www.elastic.co/guide/en/elasticsearch/reference/2.2/analysis-lowercase-tokenfilter.html