4

How can I achieve that a match query for certain fields is equivalent to a term query?

I have a larger index in Elastic covering events. Each event has an eventid field consisting of a random hex string (e.g. f4fc38c993c1a8273f9c40eedc9050b7) as well as some other fields. The eventid is indexed as keyword in Elastic.

If I query based on this field in Kibana, the query often runs into timeouts, because Kibana automatically generates a match query for eventid:f4fc38c993c1a8273f9c40eedc9050b7.

If I set a manual filter using { "query": { "term": { "eventid": "f4fc38c993c1a8273f9c40eedc9050b7" } } } (so a term instead of match query) I get a response quite quickly.

From my understanding, these should be pretty much equivalent, as keyword fields aren't analyzed, so the match query should be equivalent to a term query.

What am I missing?

kelunik
  • 6,750
  • 2
  • 41
  • 70
  • The field being a keyword only means that it is not analyzed prior to indexing. Nothing should change during an actual query. However, both queries should be roughly similar. Maybe Kibana is computing something else, do you have the exact query sent by Kibana ? – rkouye Jul 16 '21 at 19:24

0 Answers0