Filtering empty or non empty array in Elasticsearch Kibana

Question

How can I search for an empty array or non empty array field in Kibana? To be more precise: There is an api that is used for queries and these requests/responses are logged. The search may result in an empty array if no elements have been found: 'response: []'. In other cases this "Response" field is an array populated with objects: 'response: [{"myProp": "something"}, {"myProp": "something2"}]'.
I've tried to use DSL queries, nested searches and other Stackoverflow answers but without success. For the following I get syntax error (or for any other solution I try to use) in the Kibana DSL query:

"must_not": {
  "script": {
    "script": "response.size() > 0"
  }
}

or using the following results in an Internal Server Error:

{
  "script": "response.size > 0"
}

Answer 1

If your response field is NOT defined as nested, you'll need to target one of the array objects' keys instead of the array itself. You should preferably pick a key that's present in all of the child objects -- in your case myProp.

Now, if myProp has a defined keyword sub-mapping, you could do:

{
  "script": {
    "script": {
      "source": "doc['response.myProp'].size() > 0",
      "lang": "painless"
    }
  }
}

which basically says, look at the length of the doc values array and infer the parent array length based on that.

---

If your response is indeed nested, it gets even tricker. I've explained the reasons in my answers to:

• Elasticsearch search query: why params._source.nested_field.size() is not working in script?
• and How to iterate through a nested array in elasticsearch with filter script?

but the principle stays the same — you'd extract the contents of the nested array objects onto a flattened level where it's easier to compute the resulting array length.