semanticsearch
Description
Performs semantic search on a vector field via OpenSearch neural query.
The semanticsearch command is only available for sources of type OpenSearch.
Using semanticsearch in a query is allowed only if it is preceded by commands that also work with internal storage mechanisms. These include source and peval. This condition must be met for all subqueries in the query as well.
Syntax
... | semanticsearch vector_field="<field>" query="<text>" model_id="<id>" [k=<int>]
Required Arguments
To use the command, an index with a vector field of type knn_vector and a configured ML model for vectorization are required. See OpenSearch documentation for details.
| Parameter | Syntax | Description |
|---|---|---|
vector_field | vector_field="<field>" | Name of the vector field (knn_vector) in the index. |
query | query="<text>" | Text semantic query for neural.query_text. |
model_id | model_id="<id>" | OpenSearch ML model identifier for query vectorization. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
k | k=<int> | 10 | Number of nearest neighbors in neural query. |
Each result event contains a service field _score — relevance according to vector search results.
Query Examples
Example 1 — Basic Semantic Search
Searching through a security events index with return of 10 nearest results.
source soc_events_prod qsize=10
| semanticsearch
vector_field="event_embedding"
query="Signs of lateral movement via remote command execution and credential theft"
model_id="_SNEuZwBQv2NK73Va9Ko"
Example 2 — Search with Neighbor Limit
Parameter k limits the number of nearest neighbors returned by the neural query to 3.
source soc_events_prod qsize=10
| semanticsearch
vector_field="event_embedding"
query="Signs of lateral movement via remote command execution and credential theft"
model_id="_SNEuZwBQv2NK73Va9Ko"
k=3
Example 3 — Combined Usage with ai
Semantic search results are passed to ai for enriching each row with analysis fields.
source soc_events_prod
| semanticsearch
vector_field="event_embedding"
query="Signs of lateral movement via remote command execution and credential theft"
model_id="zXjJepwBnjnQtEv1MFtK"
| ai
model="gpt-oss-20b"
mode="per_row"
input="host.name,user.name,message"
user_message="For each row return risk, type, reason"
output="risk,type,reason"