Bird
Raised Fist0
Elasticsearchquery~10 mins

Saved searches and filters in Elasticsearch - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - Saved searches and filters
User creates search query
Apply filters to narrow results
Save search + filters as named object
Retrieve saved search
Execute saved search with filters
Display filtered results
End
User builds a search with filters, saves it, then later retrieves and runs it to get filtered results.
Execution Sample
Elasticsearch
POST /my-index/_search
{
  "query": {
    "bool": {
      "filter": [{ "term": { "status": "active" }}]
    }
  }
}
This query searches 'my-index' for documents where 'status' is 'active' using a filter.
Execution Table
StepActionQuery StateFilter AppliedResult Preview
1Create base querymatch_allnoneAll documents
2Add filter term status=activematch_allstatus=activeOnly active documents
3Save search as 'ActiveStatusSearch'match_allstatus=activeSaved query object
4Retrieve 'ActiveStatusSearch'match_allstatus=activeReady to run
5Execute saved searchmatch_allstatus=activeFiltered active documents
6Display resultsmatch_allstatus=activeDocuments with status active
💡 Execution ends after displaying filtered results from saved search.
Variable Tracker
VariableStartAfter Step 2After Step 3After Step 5Final
querymatch_allmatch_allmatch_allmatch_allmatch_all
filternonestatus=activestatus=activestatus=activestatus=active
saved_searchnonenoneActiveStatusSearch objectActiveStatusSearch objectActiveStatusSearch object
resultsnonenonenonefiltered docsfiltered docs
Key Moments - 3 Insights
Why do we use filters instead of queries for conditions like status?
Filters are faster and cacheable; as shown in execution_table step 2, adding a filter narrows results efficiently without scoring.
What happens when we save a search with filters?
Saving stores the entire query and filter setup as one object (step 3), so it can be reused exactly later.
How does retrieving a saved search help?
It loads the saved query and filters ready to run (step 4), saving time and avoiding retyping.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what filter is applied at step 2?
Amatch_all
Bstatus=active
Cterm=inactive
Dno filter
💡 Hint
Check the 'Filter Applied' column at step 2 in the execution_table.
At which step is the search saved as a named object?
AStep 5
BStep 1
CStep 3
DStep 6
💡 Hint
Look for the action mentioning 'Save search' in the execution_table.
If we remove the filter, what would the results show at step 5?
AAll documents
BNo documents
COnly active documents
DOnly inactive documents
💡 Hint
Refer to variable_tracker for 'filter' variable and its effect on 'results'.
Concept Snapshot
Saved searches combine queries and filters into reusable objects.
Filters narrow results efficiently without scoring.
Save searches to avoid rewriting queries.
Retrieve saved searches to run them anytime.
Use filters for fast, cacheable conditions.
Full Transcript
This visual execution shows how saved searches and filters work in Elasticsearch. First, a base query is created that matches all documents. Then, a filter is added to select only documents where status is active. This filtered query is saved as a named search object. Later, the saved search is retrieved and executed, returning only active documents. Variables like 'query' and 'filter' track the state of the search, and the saved search stores the combined query and filter for reuse. Filters improve performance by narrowing results without scoring. Saving searches saves time and ensures consistent queries. Retrieving saved searches loads them ready to run. The execution table and variable tracker help visualize each step clearly.

Practice

(1/5)
1. What is the main purpose of a saved search in Elasticsearch?
easy
A. To create visual charts from data
B. To store raw data permanently
C. To reuse a query easily without rewriting it every time
D. To delete old data automatically

Solution

  1. Step 1: Understand what saved searches do

    Saved searches store queries so you can run them again without rewriting.

  2. Step 2: Compare options to this purpose

    Only To reuse a query easily without rewriting it every time describes reusing queries easily, which matches saved searches.

  3. Final Answer:

    To reuse a query easily without rewriting it every time -> Option C

  4. Quick Check:

    Saved searches = reuse queries [OK]
Hint: Saved searches store queries for reuse, not data or visuals [OK]
Common Mistakes:
  • Confusing saved searches with data storage
  • Thinking saved searches create charts
  • Assuming saved searches delete data
2. Which of the following is the correct JSON structure to apply a filter in a saved search?
easy
A. {"query": {"match_all": {}}, "filter": {"term": {"status": "active"}}}
B. {"query": {"filtered": {"filter": {"term": {"status": "active"}}}}}
C. {"query": {"term": {"status": "active"}}}
D. {"filter": {"match": {"status": "active"}}}

Solution

  1. Step 1: Recall filter syntax in Elasticsearch saved searches

    Filters are applied inside a filtered query using the "filtered" key.

  2. Step 2: Check each option's structure

    {"query": {"filtered": {"filter": {"term": {"status": "active"}}}}} correctly uses "query": {"filtered": {"filter": {...}}} which is the right way to apply filters.

  3. Final Answer:

    {"query": {"filtered": {"filter": {"term": {"status": "active"}}}}} -> Option B

  4. Quick Check:

    Filter inside filtered query = {"query": {"filtered": {"filter": {"term": {"status": "active"}}}}} [OK]
Hint: Filters go inside a filtered query block in JSON [OK]
Common Mistakes:
  • Putting filter outside query block
  • Using match instead of term for exact filter
  • Missing filtered wrapper for filters
3. Given this saved search JSON snippet, what documents will it return?
{"query": {"filtered": {"query": {"match": {"title": "book"}}, "filter": {"term": {"status": "published"}}}}}
medium
A. Documents with title containing 'book' and status 'published'
B. Documents with title containing 'book' or status 'published'
C. Documents with status 'published' only
D. Documents with title containing 'book' only

Solution

  1. Step 1: Analyze the query and filter parts

    The query matches documents where title contains 'book'. The filter restricts to status 'published'.

  2. Step 2: Understand filtered query behavior

    Filtered query returns documents matching both query and filter conditions (AND logic).

  3. Final Answer:

    Documents with title containing 'book' and status 'published' -> Option A

  4. Quick Check:

    Filtered query = query AND filter [OK]
Hint: Filtered queries combine query and filter with AND logic [OK]
Common Mistakes:
  • Thinking query and filter use OR logic
  • Ignoring the filter part
  • Confusing match and term filters
4. You have this saved search JSON:
{"query": {"filtered": {"query": {"match": {"content": "test"}}, "filter": {"term": {"category": "news"}}}}

What is wrong with this JSON?
medium
A. The 'match' query is invalid inside filtered
B. Using 'term' filter instead of 'match'
C. Query should not have a filter
D. Missing closing braces at the end

Solution

  1. Step 1: Check JSON structure carefully

    The JSON snippet ends without closing all opened braces, causing syntax error.

  2. Step 2: Verify other parts are valid

    Using 'term' filter and 'match' query inside filtered is correct syntax.

  3. Final Answer:

    Missing closing braces at the end -> Option D

  4. Quick Check:

    JSON must be properly closed [OK]
Hint: Count opening and closing braces to spot JSON errors [OK]
Common Mistakes:
  • Ignoring missing braces causing syntax errors
  • Thinking 'term' filter is wrong here
  • Assuming filters can't be inside queries
5. You want to create a saved search that filters documents where 'status' is 'active' and 'priority' is either 'high' or 'medium'. Which JSON filter correctly represents this?
hard
A. {"query": {"filtered": {"filter": {"bool": {"must": [{"term": {"status": "active"}}, {"terms": {"priority": ["high", "medium"]}]}}}}}}
B. {"query": {"filtered": {"filter": {"term": {"status": "active"}, "terms": {"priority": ["high", "medium"]}}}}}
C. {"query": {"filtered": {"filter": {"or": [{"term": {"status": "active"}}, {"terms": {"priority": ["high", "medium"]}}]}}}}
D. {"query": {"filtered": {"filter": {"must": [{"term": {"status": "active"}}, {"term": {"priority": "high"}}, {"term": {"priority": "medium"}}]}}}}

Solution

  1. Step 1: Understand the filter requirements

    Status must be 'active' AND priority must be 'high' OR 'medium'.

  2. Step 2: Identify correct bool filter usage

    Use 'must' for AND conditions and 'terms' for multiple values in one field.

  3. Step 3: Check each option

    {"query": {"filtered": {"filter": {"bool": {"must": [{"term": {"status": "active"}}, {"terms": {"priority": ["high", "medium"]}]}}}}}} uses 'bool' with 'must' array containing 'term' for status and 'terms' for priority, correctly matching requirements.

  4. Final Answer:

    {"query": {"filtered": {"filter": {"bool": {"must": [{"term": {"status": "active"}}, {"terms": {"priority": ["high", "medium"]}]}}}}}} -> Option A

  5. Quick Check:

    Bool must + terms array = correct filter [OK]
Hint: Use bool must with terms array for AND + multiple values [OK]
Common Mistakes:
  • Using 'or' instead of 'must' for AND logic
  • Putting multiple filters without bool wrapper
  • Using multiple term filters for same field instead of terms