Bird
Raised Fist0
Elasticsearchquery~5 mins

Saved searches and filters in Elasticsearch

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

Saved searches and filters help you quickly find the same data again without typing the search every time.

You want to reuse a search query often without rewriting it.
You need to share a specific search with your team.
You want to apply the same filter to different dashboards or reports.
You want to save time by not building complex queries repeatedly.
Syntax
Elasticsearch
POST /_search/template
{
  "id": "my_saved_search",
  "params": {
    "filter_value": "example"
  }
}

Saved searches are stored as search templates with an ID.

You can pass parameters to customize the saved search when running it.

Examples
This saves a search template named my_saved_search that looks for a message matching a value you provide.
Elasticsearch
PUT /_scripts/my_saved_search
{
  "script": {
    "lang": "mustache",
    "source": "{\"query\":{\"match\":{\"message\":\"{{filter_value}}\"}}}"
  }
}
This runs the saved search with the filter value set to "error".
Elasticsearch
POST /_search/template
{
  "id": "my_saved_search",
  "params": {
    "filter_value": "error"
  }
}
This example shows a filter that finds documents where status is active and age is 30 or more.
Elasticsearch
GET /my-index/_search
{
  "query": {
    "bool": {
      "filter": [
        { "term": { "status": "active" } },
        { "range": { "age": { "gte": 30 } } }
      ]
    }
  }
}
Sample Program

This program first saves a search template that looks for documents with a title matching a term you give. Then it runs that saved search with the term "Elasticsearch".

Elasticsearch
PUT /_scripts/saved_search_example
{
  "script": {
    "lang": "mustache",
    "source": "{\"query\":{\"match\":{\"title\":\"{{search_term}}\"}}}"
  }
}

POST /_search/template
{
  "id": "saved_search_example",
  "params": {
    "search_term": "Elasticsearch"
  }
}
OutputSuccess
Important Notes

Saved searches are stored as scripts or templates in Elasticsearch.

You can update saved searches anytime by changing the script.

Filters help narrow down results without changing the main query.

Summary

Saved searches let you reuse queries easily.

Filters help focus on specific data in your searches.

You run saved searches by calling their ID and passing parameters.

Practice

(1/5)
1. What is the main purpose of a saved search in Elasticsearch?
easy
A. To create visual charts from data
B. To store raw data permanently
C. To reuse a query easily without rewriting it every time
D. To delete old data automatically

Solution

  1. Step 1: Understand what saved searches do

    Saved searches store queries so you can run them again without rewriting.

  2. Step 2: Compare options to this purpose

    Only To reuse a query easily without rewriting it every time describes reusing queries easily, which matches saved searches.

  3. Final Answer:

    To reuse a query easily without rewriting it every time -> Option C

  4. Quick Check:

    Saved searches = reuse queries [OK]
Hint: Saved searches store queries for reuse, not data or visuals [OK]
Common Mistakes:
  • Confusing saved searches with data storage
  • Thinking saved searches create charts
  • Assuming saved searches delete data
2. Which of the following is the correct JSON structure to apply a filter in a saved search?
easy
A. {"query": {"match_all": {}}, "filter": {"term": {"status": "active"}}}
B. {"query": {"filtered": {"filter": {"term": {"status": "active"}}}}}
C. {"query": {"term": {"status": "active"}}}
D. {"filter": {"match": {"status": "active"}}}

Solution

  1. Step 1: Recall filter syntax in Elasticsearch saved searches

    Filters are applied inside a filtered query using the "filtered" key.

  2. Step 2: Check each option's structure

    {"query": {"filtered": {"filter": {"term": {"status": "active"}}}}} correctly uses "query": {"filtered": {"filter": {...}}} which is the right way to apply filters.

  3. Final Answer:

    {"query": {"filtered": {"filter": {"term": {"status": "active"}}}}} -> Option B

  4. Quick Check:

    Filter inside filtered query = {"query": {"filtered": {"filter": {"term": {"status": "active"}}}}} [OK]
Hint: Filters go inside a filtered query block in JSON [OK]
Common Mistakes:
  • Putting filter outside query block
  • Using match instead of term for exact filter
  • Missing filtered wrapper for filters
3. Given this saved search JSON snippet, what documents will it return?
{"query": {"filtered": {"query": {"match": {"title": "book"}}, "filter": {"term": {"status": "published"}}}}}
medium
A. Documents with title containing 'book' and status 'published'
B. Documents with title containing 'book' or status 'published'
C. Documents with status 'published' only
D. Documents with title containing 'book' only

Solution

  1. Step 1: Analyze the query and filter parts

    The query matches documents where title contains 'book'. The filter restricts to status 'published'.

  2. Step 2: Understand filtered query behavior

    Filtered query returns documents matching both query and filter conditions (AND logic).

  3. Final Answer:

    Documents with title containing 'book' and status 'published' -> Option A

  4. Quick Check:

    Filtered query = query AND filter [OK]
Hint: Filtered queries combine query and filter with AND logic [OK]
Common Mistakes:
  • Thinking query and filter use OR logic
  • Ignoring the filter part
  • Confusing match and term filters
4. You have this saved search JSON:
{"query": {"filtered": {"query": {"match": {"content": "test"}}, "filter": {"term": {"category": "news"}}}}

What is wrong with this JSON?
medium
A. The 'match' query is invalid inside filtered
B. Using 'term' filter instead of 'match'
C. Query should not have a filter
D. Missing closing braces at the end

Solution

  1. Step 1: Check JSON structure carefully

    The JSON snippet ends without closing all opened braces, causing syntax error.

  2. Step 2: Verify other parts are valid

    Using 'term' filter and 'match' query inside filtered is correct syntax.

  3. Final Answer:

    Missing closing braces at the end -> Option D

  4. Quick Check:

    JSON must be properly closed [OK]
Hint: Count opening and closing braces to spot JSON errors [OK]
Common Mistakes:
  • Ignoring missing braces causing syntax errors
  • Thinking 'term' filter is wrong here
  • Assuming filters can't be inside queries
5. You want to create a saved search that filters documents where 'status' is 'active' and 'priority' is either 'high' or 'medium'. Which JSON filter correctly represents this?
hard
A. {"query": {"filtered": {"filter": {"bool": {"must": [{"term": {"status": "active"}}, {"terms": {"priority": ["high", "medium"]}]}}}}}}
B. {"query": {"filtered": {"filter": {"term": {"status": "active"}, "terms": {"priority": ["high", "medium"]}}}}}
C. {"query": {"filtered": {"filter": {"or": [{"term": {"status": "active"}}, {"terms": {"priority": ["high", "medium"]}}]}}}}
D. {"query": {"filtered": {"filter": {"must": [{"term": {"status": "active"}}, {"term": {"priority": "high"}}, {"term": {"priority": "medium"}}]}}}}

Solution

  1. Step 1: Understand the filter requirements

    Status must be 'active' AND priority must be 'high' OR 'medium'.

  2. Step 2: Identify correct bool filter usage

    Use 'must' for AND conditions and 'terms' for multiple values in one field.

  3. Step 3: Check each option

    {"query": {"filtered": {"filter": {"bool": {"must": [{"term": {"status": "active"}}, {"terms": {"priority": ["high", "medium"]}]}}}}}} uses 'bool' with 'must' array containing 'term' for status and 'terms' for priority, correctly matching requirements.

  4. Final Answer:

    {"query": {"filtered": {"filter": {"bool": {"must": [{"term": {"status": "active"}}, {"terms": {"priority": ["high", "medium"]}]}}}}}} -> Option A

  5. Quick Check:

    Bool must + terms array = correct filter [OK]
Hint: Use bool must with terms array for AND + multiple values [OK]
Common Mistakes:
  • Using 'or' instead of 'must' for AND logic
  • Putting multiple filters without bool wrapper
  • Using multiple term filters for same field instead of terms