I'd like to search only in a specific field, like myfield:searchterm. But in my case, the field name contains a space character my field:searchterm. This will search for my in the default field and for searchterm in the field field, which does not even exist. I tried enclosing the field name in double quotes but I get an error. I also found that Lucene syntax supportes escaping spaces with a backslash, but my\ field:searchterm doesn't work either.
No need to tell me that spaces in field names are a bad idea in general and that this should be prevented, but still I have to deal with it. But how?
The backslash format is the right syntax, as you can see here:
Perhaps it's a time field issue? Are you using time-based events for the index pattern, and are you looking in a time range that actually has data?
I don't think this answer is correct. The only reason you see result here is because you left a space between ":" and *
While ES won't complain when you do "My\ field:>10" it will never find any results.
Hrm, perhaps you're right. While it's not really clear to me from the query docs, all the examples there explicitly do not include a space after the :, so it's entirely possible that it matters.
Looking at the query being sent to ES, I see the following:
- With \ and no space -
{"query_string":{"query":"my\\ field:*" ... - With \ and space -
{"query_string":{"query":"my\\ field: *" ... - With space in field name -
{"query_string":{"query":"my field:*" ...
So whatever you put in there seems to be sent unaltered to ES as a query_string inside of a bool query. That doesn't really answer your question of which one is right though. Unfortunately, I don't actually know. I'll go find out and post back here though.
I asked around, and most people didn't even think we supported spaces in field names. That's probably an indication that you shouldn't be doing that in the first place. FWIW, convention would seem to imply using _ in your field names in place of a space.
That said, there seems to be 2 ways to query a field with a space in it. The first is to simply escape the space in the field name, such as "query": "my\\ field:value". So, in Kibana, using a \ and no space before or after the : seems to be the way to do it. Given the original question, my\ field:searchterm should work.
The second uses the default_field parameter. Kibana simply passes whatever you put in that field into the "query" value when it's a string, but it will pass the entire contents into a bool query if you use valid JSON instead. So, I think you can query that field with the following as well: { "query_string": { "default_field": "my field", "query": "searchterm" }}, but I haven't tried that directly myself.