Bird
Raised Fist0
Elasticsearchquery~5 mins

Saved searches and filters in Elasticsearch - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a saved search in Elasticsearch?
A saved search is a stored query that you can reuse later to quickly find data without rewriting the query each time.
Click to reveal answer
beginner
How do filters differ from queries in Elasticsearch?
Filters are used to include or exclude documents without scoring, making them faster and cacheable, while queries calculate relevance scores.
Click to reveal answer
intermediate
Why use saved filters in Elasticsearch?
Saved filters let you reuse common filtering logic easily, improving performance and consistency across searches.
Click to reveal answer
beginner
How can you save a search in Kibana for Elasticsearch?
In Kibana, after creating a search with filters and queries, you can save it by clicking the 'Save' button and giving it a name for reuse.
Click to reveal answer
intermediate
What is the benefit of combining saved filters with saved searches?
Combining saved filters with saved searches helps quickly apply common conditions and queries, saving time and reducing errors.
Click to reveal answer
What does a saved search store in Elasticsearch?
AA backup of the entire index
BA reusable query to find data
CA list of all documents
DA visualization chart
Which of the following is true about filters in Elasticsearch?
AFilters are cacheable and do not score results
BFilters are slower than queries
CFilters calculate relevance scores
DFilters cannot be saved
How do saved filters improve search performance?
ABy recalculating scores each time
BBy storing all documents locally
CBy reusing common filtering logic and caching results
DBy deleting irrelevant data
In Kibana, how do you save a search?
ABy deleting filters
BBy exporting the index
CBy restarting Elasticsearch
DBy clicking the 'Save' button after creating the search
What is a key advantage of combining saved searches and filters?
AIt saves time and reduces errors by reusing logic
BIt requires rewriting queries each time
CIt deletes old data automatically
DIt slows down queries
Explain what saved searches and saved filters are in Elasticsearch and why they are useful.
Think about how saving queries and filters helps avoid repeating work.
You got /4 concepts.
    Describe the difference between queries and filters in Elasticsearch and how saved filters affect search speed.
    Focus on scoring and caching differences.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of a saved search in Elasticsearch?
      easy
      A. To create visual charts from data
      B. To store raw data permanently
      C. To reuse a query easily without rewriting it every time
      D. To delete old data automatically

      Solution

      1. Step 1: Understand what saved searches do

        Saved searches store queries so you can run them again without rewriting.

      2. Step 2: Compare options to this purpose

        Only To reuse a query easily without rewriting it every time describes reusing queries easily, which matches saved searches.

      3. Final Answer:

        To reuse a query easily without rewriting it every time -> Option C

      4. Quick Check:

        Saved searches = reuse queries [OK]
      Hint: Saved searches store queries for reuse, not data or visuals [OK]
      Common Mistakes:
      • Confusing saved searches with data storage
      • Thinking saved searches create charts
      • Assuming saved searches delete data
      2. Which of the following is the correct JSON structure to apply a filter in a saved search?
      easy
      A. {"query": {"match_all": {}}, "filter": {"term": {"status": "active"}}}
      B. {"query": {"filtered": {"filter": {"term": {"status": "active"}}}}}
      C. {"query": {"term": {"status": "active"}}}
      D. {"filter": {"match": {"status": "active"}}}

      Solution

      1. Step 1: Recall filter syntax in Elasticsearch saved searches

        Filters are applied inside a filtered query using the "filtered" key.

      2. Step 2: Check each option's structure

        {"query": {"filtered": {"filter": {"term": {"status": "active"}}}}} correctly uses "query": {"filtered": {"filter": {...}}} which is the right way to apply filters.

      3. Final Answer:

        {"query": {"filtered": {"filter": {"term": {"status": "active"}}}}} -> Option B

      4. Quick Check:

        Filter inside filtered query = {"query": {"filtered": {"filter": {"term": {"status": "active"}}}}} [OK]
      Hint: Filters go inside a filtered query block in JSON [OK]
      Common Mistakes:
      • Putting filter outside query block
      • Using match instead of term for exact filter
      • Missing filtered wrapper for filters
      3. Given this saved search JSON snippet, what documents will it return?
      {"query": {"filtered": {"query": {"match": {"title": "book"}}, "filter": {"term": {"status": "published"}}}}}
      medium
      A. Documents with title containing 'book' and status 'published'
      B. Documents with title containing 'book' or status 'published'
      C. Documents with status 'published' only
      D. Documents with title containing 'book' only

      Solution

      1. Step 1: Analyze the query and filter parts

        The query matches documents where title contains 'book'. The filter restricts to status 'published'.

      2. Step 2: Understand filtered query behavior

        Filtered query returns documents matching both query and filter conditions (AND logic).

      3. Final Answer:

        Documents with title containing 'book' and status 'published' -> Option A

      4. Quick Check:

        Filtered query = query AND filter [OK]
      Hint: Filtered queries combine query and filter with AND logic [OK]
      Common Mistakes:
      • Thinking query and filter use OR logic
      • Ignoring the filter part
      • Confusing match and term filters
      4. You have this saved search JSON:
      {"query": {"filtered": {"query": {"match": {"content": "test"}}, "filter": {"term": {"category": "news"}}}}

      What is wrong with this JSON?
      medium
      A. The 'match' query is invalid inside filtered
      B. Using 'term' filter instead of 'match'
      C. Query should not have a filter
      D. Missing closing braces at the end

      Solution

      1. Step 1: Check JSON structure carefully

        The JSON snippet ends without closing all opened braces, causing syntax error.

      2. Step 2: Verify other parts are valid

        Using 'term' filter and 'match' query inside filtered is correct syntax.

      3. Final Answer:

        Missing closing braces at the end -> Option D

      4. Quick Check:

        JSON must be properly closed [OK]
      Hint: Count opening and closing braces to spot JSON errors [OK]
      Common Mistakes:
      • Ignoring missing braces causing syntax errors
      • Thinking 'term' filter is wrong here
      • Assuming filters can't be inside queries
      5. You want to create a saved search that filters documents where 'status' is 'active' and 'priority' is either 'high' or 'medium'. Which JSON filter correctly represents this?
      hard
      A. {"query": {"filtered": {"filter": {"bool": {"must": [{"term": {"status": "active"}}, {"terms": {"priority": ["high", "medium"]}]}}}}}}
      B. {"query": {"filtered": {"filter": {"term": {"status": "active"}, "terms": {"priority": ["high", "medium"]}}}}}
      C. {"query": {"filtered": {"filter": {"or": [{"term": {"status": "active"}}, {"terms": {"priority": ["high", "medium"]}}]}}}}
      D. {"query": {"filtered": {"filter": {"must": [{"term": {"status": "active"}}, {"term": {"priority": "high"}}, {"term": {"priority": "medium"}}]}}}}

      Solution

      1. Step 1: Understand the filter requirements

        Status must be 'active' AND priority must be 'high' OR 'medium'.

      2. Step 2: Identify correct bool filter usage

        Use 'must' for AND conditions and 'terms' for multiple values in one field.

      3. Step 3: Check each option

        {"query": {"filtered": {"filter": {"bool": {"must": [{"term": {"status": "active"}}, {"terms": {"priority": ["high", "medium"]}]}}}}}} uses 'bool' with 'must' array containing 'term' for status and 'terms' for priority, correctly matching requirements.

      4. Final Answer:

        {"query": {"filtered": {"filter": {"bool": {"must": [{"term": {"status": "active"}}, {"terms": {"priority": ["high", "medium"]}]}}}}}} -> Option A

      5. Quick Check:

        Bool must + terms array = correct filter [OK]
      Hint: Use bool must with terms array for AND + multiple values [OK]
      Common Mistakes:
      • Using 'or' instead of 'must' for AND logic
      • Putting multiple filters without bool wrapper
      • Using multiple term filters for same field instead of terms