Elasticsearch filter query does not return any document

Question

I cannot understand why if I query Elasticsearch with filter like this:

 curl -H'content-type: application/json' "localhost:9200/.kibana/_search" -d '{
  "query": {
    "bool": {
      "filter": [
        {
          "term": {
            "type": "index-pattern"
          }
        }
      ]
    }
  }
}'
{"took":0,"timed_out":false,"_shards":{"total":4,"successful":4,"skipped":0,"failed":0},"hits":{"total":{"value":0,"relation":"eq"},"max_score":null,"hits":[]}}

As you can see, I have empty result set. But instead I do have a document where "type" field equals to "index-pattern".

  {
    "_index": ".kibana",
    "_type": "_doc",
    "_id": "index-pattern:c37de740-7e94-11eb-b6c2-4302716621be",
    "_score": 0,
    "_source": {
      "index-pattern": {
        "title": "r*",
        "timeFieldName": "@timestamp",
        "fields": "<omitted - too long>"
      },
      "type": "index-pattern",
      "references": [],
      "migrationVersion": {
        "index-pattern": "7.6.0"
      },
      "updated_at": "2021-03-06T15:58:18.062Z"
    }
  }

What's wrong with my query?

Answer 1

When the type field is mapped as text by default and you'd like to apply term queries on it, the hyphen will prevent the query from matching because text is analyzed by the standard analyzer which removes hyphens and other special characters upon ingestion. Having said that, the term query returns documents that contain an exact match (special chars included) which caused your original query to not return anything.

So target the .keyword multi-field instead:

curl -H'content-type: application/json' "localhost:9200/.kibana/_search" -d '{
  "query": {
    "bool": {
      "filter": [
        {
          "term.keyword": {
            "type": "index-pattern"
          }
        }
      ]
    }
  }
}'