Hi I hope someone can help me. Apologies as it may be a stupid question and i am still learning.
Would anyone happen to have some simple guide or explanation they can point me to to explain why this is happening ?
I have following this type of record
"_type": "_doc",
"_id": "49606120302139348740181899632196521286098133251673554946.0",
"_version": 1,
"_score": null,
"_source": {
"timestamp": "2020-04-30 10:48:25,244",
"action": "OAuth",
"unknown1": " 1234567890",
"ipaddress": " 127.0.0.1 ",
"unknown2": " ",
"device": " pa_customer",
"authenticationtype": " OAuth20",
"hosttype": " localhost",
"providertype": " AS",
"result": " success",
"typemfa": " ProductHoldingAFM2FA",
"message": " ",
"duration": " 2596"
},
"fields": {
"timestamp": [
"2020-04-30T10:48:25.244Z"
]
},
"sort": [
1588243705244
]
}
and i recently changed most fields as they are single words to "keyword" fields.
I can create a filter and that works but if i wanted to do a search in KQL command like
result: success
or
result:sucesss
i get nothing?
I would expect the search give me all records that have result as success. It worked before when these fields were set to text and not keyword but now that i want these fields as aggregatable to make piecharts etc it is not.
If I wanted to type a KQL command to give me all events with a specific field name value what would i need to type.
Apologies I am just getting really confused and I am trying to follow a kibana tutorial and commands dont seem to be working for me.
My index patterns in kibana show all relevant fields including result as searchable and aggregatable
Thank you in advance.