Elastic Agent - ZIA integration

I recently set up ZIA integration with Elastic agent, we are getting the Datastreams but are unable to search for anything, anything comes back with no results , verified default template and all fields are keywords but if i do a Filter , it works .

You just cant search for a keyword in the KQL syntax

not sure what im doing wrong here

So I assume you are using Zscaler ZIA | Elastic integrations | Elastic Zscaler Internet Access (ZIA) elastic agent integration with Fleet server.

Because all the fields indexed as keyword you can't use full-text-search feature but you can always search with wildcard/regex.

for example, in KQL the following query should return if the field exist. csport: *.

By default , why wouldnt the full-text-search feature work ? and how do you get it to work ?

Can you share exactly what you are trying to do? Please share some screenshots for example.

Full-text search is done on fields that are mapped as texted, the majority of fields do not need to be mapped as text because they contain just keywords, so they are mapped as keywords.

Keywords fields need to be search for the exact match, case sensitive, or for part of it using wildcards.

example .this Document has the country of PL, i want to free text search for all documents from PL. 0 reults come back . Note all fields are keywords as these are datastreams from ZIA integration

even with wildcards nothing.

Screenshot 2025-03-31 1514221900×346 77.6 KB

Screenshot 2025-03-31 1513171857×561 58.3 KB

Yeah, this should work, elasticsearch would search for the string PL in all fields and return documents where at least one fields matches it.

Which version are you? Are you on Elastic Cloud or On-premises?

Can you share the settings fro that specific index? Just go into Kibana > Stack Management > Index Management > Data Streams.

Select the Zscaler data stream and click on one of the backing indices and then on the Settings tab to see the settings being applied.