In my last blog, I have explained basic Elasticsearch queries using which we can create basic search queries. Now in this blog, I will explain advanced search queries using which we can construct more complex queries like boolean queries, wildcard queries, etc. So let's start to create the search queries:

Wildcard Query:

Using wildcard queries we can search for items without knowing the exact spelling. Means if someone is not knowing the exact spelling of a word then also he/she can search that word. See the below example:

GET /blogs/technical/_search
{
  "query": { 
    "wildcard": { 
      "topic": "ki??na" 
    }
  }
}

In the above query, we are looking for a word which starts with 'ki' and ends with 'na' with exactly two characters which is marked as '?'. After executing the above search we will get the following result:

{
  "took": 5,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 1,
    "max_score": 1,
    "hits": [
      {
        "_index": "blogs",
        "_type": "technical",
        "_id": "2",
        "_score": 1,
        "_source": {
          "topic": "introduction to Kibana"
        }
      }
    ]
  }
}

The result shows the topic "introduction to Kibana" because of the wildcard search 'ki??na' matches to this topic. In my previous blogs of Elasticsearch I have explained the steps to index the documents so please refer to them if you want to know the basics of Elasticsearch. If we don't know the exact character length then we can run the following query:

GET /blogs/technical/_search
{
  "query": { 
    "wildcard": { 
      "topic": "k*na" 
    }
  }
}

In the above query, we only know that the word starts with "k" and ends with "na" but we don't know the number of characters in between. Even if we don't know the end of the word then we can type the starting character and just pass a '*', it will fetch all words which start with the given character irrespective of the length of the matching word.

Boolean Query:

The boolean query is used to search the results on the basis of joining them with 'or', 'and', 'not' conditions. Like joining two conditions with any of them for example:

"name": "anurag"  and "age": "30"
"name": "anurag"  or "name": kapil"

 The above examples are just a representation and not the actual Elasticsearch query. Now let's understand how we can achieve the same type of conditions in Elasticsearch. See the below example:

GET /blogs/technical/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "_type": "technical"
          }
        }
      ],
      "must_not": [
        {
          "match": {
            "topic": "kibana"
          }
        }
      ]
    }
  }
}

In the above query, I am applying the boolean query by passing the "bool" key after the "query" keyword and then under the "bool" block I have provided two blocks "must" and "must_not". These two blocks have a totally different meaning as "must" is there to ensure the existence of the given condition inside the block while "must_not" is there to ensure the non-existence of the given condition inside on the block. Now under "must" block I have added a "match" block to match the "_type" key with value as "technical" and under "must_not" I have added, "match" block to match the "topic" with "kibana".

So what will happen? in the above query, Elasticsearch will exclude all documents where topic matches with "Kibana" and will include where "_type" key matches with value "technical". Above query will return the following result:

{
  "took": 3,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 1,
    "max_score": 1,
    "hits": [
      {
        "_index": "blogs",
        "_type": "technical",
        "_id": "1",
        "_score": 1,
        "_source": {
          "topic": "introduction to Elasticsearch",
          "category": "ELK"
        }
      }
    ]
  }
}

In the above result, we have found the "_type" as "technical" and "topic" as "introduction to Elasticsearch" and there is no "Kibana". Take one more example:

GET /blogs/technical/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "match": {
            "_type": "technical"
          }
        },
        {
          "match": {
            "topic": "kibana"
          }
        }
      ]
    }
  }
}

In the above query, we are matching the "_type" as "technical" and "topic" as "kibana" with a "must" condition, so it will return the documents where both of these items are matched. Take one more example:

GET /blogs/technical/_search
{
  "query": {
    "bool": {
      "should": [
        {
          "match": {
            "_type": "technical"
          }
        },
        {
          "match": {
            "topic": "kibana"
          }
        }
      ]
    }
  }
}

In the above query, I have replaced the "must" with "should" so now query will list all those documents where the "_type" matches with "technical" or "topic" match with "kibana". So basically here we will get both documents with topic Kibana and Elasticsearch. If I replace the "should" keyword with "must_not" then it will exclude both the conditions and we will not get a single document.

In this blog, I have tried to explain the wildcard query and boolean query of Elasticsearch.

Other Blogs on Elastic Stack:
Introduction to Elasticsearch
Elasticsearch Installation and Configuration on Ubuntu 14.04
Log analysis with Elastic stack 
Elasticsearch Rest API
Basics of Data Search in Elasticsearch
Elasticsearch Rest API
Wildcard and Boolean Search in Elasticsearch
Configure Logstash to push MySQL data into Elasticsearch 
Metrics Aggregation in Elasticsearch
Bucket Aggregation in Elasticsearch
How to create Elasticsearch Cluster