Elastic Search

What is Boolean Query in Elasticsearch

3 years ago
by John Otieno

Boolean, or a bool query in Elasticsearch, is a type of search that allows you to combine conditions using Boolean conditions.

Elasticsearch will search the document in the specified index and return all the records matching the combination of Boolean clauses.

Using Boolean queries, you can filter for more specific parameters, allowing you to get more precise results.

In this article, we will look at how to use four Boolean clauses available in Elasticsearch: must, must_not, should, and filter.

General Syntax

The general syntax of a Boolean query used in Elasticsearch is:

GET _search
{
 "query": {
   "bool": {
     "must": [
       {}
     ],
     "must_not": [
       {}
     ],
     "should": [
       {}
     ],
     "filter": [
       {}
     ]
   }
}

You do not have to combine all the Boolean occurrences in a single query. You can use each as a standalone unit.

Boolean Must

Let’s say you have an index containing weblogs. We can fetch the documents where the OS is a Windows machine. Below is an example query:

GET /kibana_sample_data_logs/_search
{
 "query": {
   "bool": {
     "must": [
       {"term": {
         "machine.os": {
           "value": "win"
         }
       }}
     ]
   }
 }
}

As shown in the example response, the result above should return the values where the OS is Windows.

Boolean Must_not

Similarly, we can use the must_not occurrence to remove the term where the OS is Windows.

Take the example query below:

GET /kibana_sample_data_logs/_search
{
 "query": {
   "bool": {
     "must_not": [
       {"term": {
         "machine.os": {
           "value": "win"
         }
       }}
     ]
   }
 }
}

This query filters out all the records where the machine.OS is a Windows machine. Below is an example result:

Boolean Filter

The filter Boolean will remove all documents that do not match the specified condition.

For example, we can filter the logs where the number of bytes is greater than 1000.

We can run a query as shown below:

GET /kibana_sample_data_logs/_search
{
 "query": {
   "bool": {
     "filter": [
       {"range": {
         "bytes": {
           "gte": 10000
         }
       }}
     ]
   }
 }
}

The response should include only the documents where the number of bytes is greater than the set value.

Example response:

You can also combine a filter with other Boolean occurrences. For example, we first search for matching documents where the OS is WIN and then filter for the number of bytes greater than 10000.

GET kibana_sample_data_logs/_search
{
 "query": {
   "bool": {
     "must": [
       {"term": {
         "machine.os": {
           "value": "win"
         }
       }}
     ],
     "filter": [
       {"range": {
         "bytes": {
           "gte": 10000
         }
       }}
     ]
   }
 }
}

In this case, we first fetch the documents where the OS contains the term “win”. We then use the results and filter for the number of bytes greater than 10000.

The resulting documents will be similar to the one shown below:

Boolean Should

The final Boolean occurrence you can use is the should. The should is closely similar to must, but it is less strict.

GET kibana_sample_data_logs/_search
{
 "query": {
   "bool": {
     "should": [
       {"match": {
         "machine.os": "osx"
       }}
     ]
   }
 }
}

The example should return the records the string “osx” appears in the OS field.

Conclusion

In this article, you learned how to work with the boolean query in Elasticsearch and filter results based on specific conditions.

About the author

John Otieno

My name is John and am a fellow geek like you. I am passionate about all things computers from Hardware, Operating systems to Programming. My dream is to share my knowledge with the world and help out fellow geeks. Follow my content by subscribing to LinuxHint mailing list

View all posts