Book Image

Elasticsearch 8.x Cookbook - Fifth Edition

By : Alberto Paro
Book Image

Elasticsearch 8.x Cookbook - Fifth Edition

By: Alberto Paro

Overview of this book

Elasticsearch is a Lucene-based distributed search engine at the heart of the Elastic Stack that allows you to index and search unstructured content with petabytes of data. With this updated fifth edition, you'll cover comprehensive recipes relating to what's new in Elasticsearch 8.x and see how to create and run complex queries and analytics. The recipes will guide you through performing index mapping, aggregation, working with queries, and scripting using Elasticsearch. You'll focus on numerous solutions and quick techniques for performing both common and uncommon tasks such as deploying Elasticsearch nodes, using the ingest module, working with X-Pack, and creating different visualizations. As you advance, you'll learn how to manage various clusters, restore data, and install Kibana to monitor a cluster and extend it using a variety of plugins. Furthermore, you'll understand how to integrate your Java, Scala, Python, and big data applications such as Apache Spark and Pig with Elasticsearch and create efficient data applications powered by enhanced functionalities and custom plugins. By the end of this Elasticsearch cookbook, you'll have gained in-depth knowledge of implementing the Elasticsearch architecture and be able to manage, search, and store data efficiently and effectively using Elasticsearch.
Table of Contents (20 chapters)

Adding a field with multiple mappings

Often, a field must be processed with several core types or in different ways. For example, a string field must be processed as tokenized for search and not-tokenized for sorting. To do this, we need to define a fields multifield special property.

The fields property is a very powerful feature of mappings because it allows you to use the same field in different ways.

Getting ready

You will need an up-and-running Elasticsearch installation, as we described in the Downloading and installing Elasticsearch recipe of Chapter 1Getting Started.

To execute the commands in this recipe, you can use any HTTP client, such as curl (, Postman (, or similar. I suggest using the Kibana console, which provides code completion and better character escaping for Elasticsearch.

How to do it…

To define a multifield property, we need to define a dictionary containing the fields subfield. The subfield with the same name as a parent field is the default one.

If we consider the item from our order example, we can index the name like so:

{ "name": {
    "type": "keyword",
    "fields": {
      "name": {"type": "keyword"},
      "tk": {"type": "text"},
      "code": {"type": "text","analyzer": "code_analyzer"}
} },

If we already have a mapping stored in Elasticsearch and we want to migrate the fields in a multi-field property, it's enough to save a new mapping with a different type, and Elasticsearch provides the merge automatically. New subfields in the fields property can be added without problems at any moment, but the new subfields will only be available while you're searching/aggregating newly indexed documents.

When you add a new subfield to already indexed data, you need to reindex your record to ensure you have it correctly indexed for all your records.

How it works…

During indexing, when Elasticsearch processes a fields property of the multifield type, it reprocesses the same field for every subfield defined in the mapping.

To access the subfields of a multifield, we must build a new path on the base field, plus use the subfield's name. In the preceding example, we have the following:

  • name: This points to the default multifield subfield-field (the keyword one).
  • This points to the standard analyzed (tokenized) text field.
  • name.code: This points to a field that was analyzed with a code extractor analyzer.

As you may have noticed in the preceding example, we changed the analyzer to introduce a code extractor analyzer that allows you to extract the item code from a string.

By using the multifield, if we index a string such as Good Item to buy - ABC1234, we'll have the following:

  • name = Good Item to buy - ABC1234 (useful for sorting)
  • ["good", "item", "to", "buy", "abc1234"] (useful for searching)
  • name.code = ["ABC1234"] (useful for searching and aggregations)

In the case of the code analyzer, if the code is not found in the string, no tokens are generated. This makes it possible to develop solutions that carry out information retrieval tasks at index time and uses these at search time.

There's more...

The fields property is very useful in data processing because it allows you to define several ways to process field data.

For example, if we are working on documental content (such as articles, word documents, and so on), we can define fields as subfield analyzers to extract names, places, date/time, geolocation, and so on.

The subfields of a multifield are standard core type fields – we can perform every process we want on them, such as search, filter, aggregation, and scripting.

See also

To find out more about what Elasticsearch analyzers you can use, please refer to the Specifying different analyzers recipe.