Skip to content

Commit ecd0f0c

Browse files
florent-leborgnetheletterf
florent-leborgne
and
theletterf
authored
Add note about multi-value fields handling in KQL range queries (#4317)
## Summary Clarifies the explanation about range queries on multi-value fields. Fixes: elastic/docs-content-internal#569 ## Generative AI disclosure <!-- To help us ensure compliance with the Elastic open source and documentation guidelines, please answer the following: --> 1. Did you use a generative AI (GenAI) tool to assist in creating this contribution? - [ ] Yes - [x] No <!-- 2. If you answered "Yes" to the previous question, please specify the tool(s) and model(s) used (e.g., Google Gemini, OpenAI ChatGPT-4, etc.). Tool(s) and model(s) used: --> Co-authored-by: Fabrizio Ferri-Benedetti <[email protected]>
1 parent ea03229 commit ecd0f0c

File tree

1 file changed

+7
-1
lines changed
  • explore-analyze/query-filter/languages

1 file changed

+7
-1
lines changed

explore-analyze/query-filter/languages/kql.md

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,12 +91,18 @@ To search documents that contain terms within a provided range, use KQL’s rang
9191
http.response.bytes < 10000
9292
```
9393

94-
To search for an inclusive range, combine multiple range queries. For example, to search for documents where `http.response.bytes` is greater than 10000 but less than or equal to 20000, use the following syntax:
94+
To search for an inclusive range, combine multiple range conditions. For example, to search for documents where `http.response.bytes` is greater than 10000 but less than or equal to 20000, use the following syntax:
9595

9696
```yaml
9797
http.response.bytes > 10000 and http.response.bytes <= 20000
9898
```
9999

100+
:::{note}
101+
When using range queries with multiple conditions on multi-value fields, each condition is evaluated independently against all values in the array.
102+
103+
For example, the query `number > 300 AND number < 400` will match a document with `"number": [500, 10]` because 500 satisfies the first condition and 10 satisfies the second condition. If you need all conditions to be satisfied by the same value, consider using [Query DSL](elasticsearch://reference/query-languages/query-dsl/query-dsl-range-query.md) instead, which will only match documents where at least one value falls entirely within the specified range.
104+
:::
105+
100106
You can also use range syntax for string values, IP addresses, and timestamps. For example, to search for documents earlier than two weeks ago, use the following syntax:
101107

102108
```yaml

0 commit comments

Comments
 (0)