why elasticsearch keyword search not working?

Question

i use NLog to write log message to Elasticsearch, the index structure is here:

"mappings": {
    "logevent": {
        "properties": {
            "@timestamp": {
                "type": "date"
            },
            "MachineName": {
                "type": "text",
                "fields": {
                    "keyword": {
                        "ignore_above": 256,
                        "type": "keyword"
                    }
                }
            },
            "level": {
                "type": "text",
                "fields": {
                    "keyword": {
                        "ignore_above": 256,
                        "type": "keyword"
                    }
                }
            },
            "message": {
                "type": "text",
                "fields": {
                    "keyword": {
                        "ignore_above": 256,
                        "type": "keyword"
                    }
                }
            }
        }
    }
}

I was able to get results using a text search:

GET /webapi-2022.07.28/_search
{
  "query": {
    "match": {
      "message": "ERROR" 
    }
  }
}

result "hits" : [ { "_index" : "webapi-2022.07.28", "_type" : "logevent", "_id" : "IFhYQoIBRhF4cR9wr-ja", "_score" : 4.931916, "_source" : { "@timestamp" : "2022-07-28T01:07:58.8822339Z", "level" : "Error", "message" : """2022-07-28 09:07:58.8822|ERROR|AppSrv.Filter.AccountAuthorizeAttribute|[KO17111808]-[172.10.2.200]-[ERROR]-"message"""", "MachineName" : "WIN-EPISTFOBD41" } } //..... ]

but when i use keyword, i get nothing:

GET /webapi-2022.07.28/_search
{
  "query": {
    "term": {
      "message.keyword": "ERROR"
    }
  }
}

i tried term and match, the result is same.

Answer 1

this is happening due to message field not just containing ERROR but also having other string in the .keyword field, you need to use the text search only in your case, you can use the .keyword field only in case of the exact search.

If your message field contained only the ERROR string than only searching on your .keyword would produce result, you can test it yourself by indexing a sample document.