和/或在弹性搜索中具有不同路径的嵌套查询

时间:2016-09-15 11:57:13

标签: elasticsearch

我在弹性搜索中有一些深层嵌套的对象。我试图找到一种使用bool查询对它们进行AND运算的有效方法。

以下是我的映射

sample:
   type:nested
   properties:
    vendor_detections: 
        type: "nested"
        properties:
            vendor_name: 
                type: string
            signature:
                type:nested
                properties:
                    name:
                        type:string

我正在尝试的查询是给我所有供供应商检测的样本" microsoft"包含字符串" Win32"。以下是我试过的查询

GET /my_index/sample/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "nested": {
            "path": "vendor_detections",
            "query": {
              "match": {
                    "vendor_detections.vendor_name": "microsoft"
               }
            }
          }
        },
        {
          "nested": {
            "path": "vendor_detections.signature",
            "query": {
              "wildcard": {
                    "vendor_detections.signature.name": "Win32*"
               }
            }
          }
        },


      ]
    }
  }
}

A"样本"包含文件" vendor_detections" 

{
  "md5sum": ""
  "vendor_detections": [{
      "vendor_name": "symantec",
      "service_name": "spw",
      "signature": {
          "name": "W32.Wapomi!inf",
          "threat": {
              "vulnerabilities": [],
              "threat_category": {
                  "name": "Unknown"
              },
              "targets": []
          }
      }
  }, {
      "vendor_name": "kaspersky",
      "service_name": "spw",
      "signature": {
          "name": "Virus.Win32.Qvod.f",
          "threat": {
              "vulnerabilities": [],
              "threat_category": {
                  "name": "Unknown"
              },
              "targets": []
          }
      }
  }, {
      "vendor_name": "bitdefender",
      "service_name": "spw",
      "signature": {
          "name": "Win32.Viking.AX",
          "threat": {
              "vulnerabilities": [],
              "threat_category": {
                  "name": "Unknown"
              },
              "targets": []
          }
      }
  }]
}

然而,这回复了我所有的样本,其中我在我的应用程序中使用的4个供应商之一的签名包含字符串" Win32"。我该如何解决这个问题?

2 个答案:

答案 0 :(得分:1)

试试这个,我没有检查但它应该工作。 

{
  "query": {
    "bool": {
      "must": [
        {
          "nested": {
            "path": "sample.vendor_detections",
            "query": {
              "bool": {
                "must": [
                  {
                    "match": {
                      "sample.vendor_detections.vendor_name": "microsoft"
                    }
                  },
                  {
                    "wildcard": {
                      "sample.vendor_detections.signature.name": "win32*"
                    }
                  }
                ]
              }
            }
          }
        }
      ]
    }
  }
}

答案 1 :(得分:1)

根据您问题中的信息,即映射和示例文档,没有理由将signature声明为嵌套对象,因为每个嵌套{{1}只有一个对象。

相关问题
最新问题