Elastic cant find simple text

Elastic Stack Elasticsearch
1

if I search for "KCC", it doesnt find it, even though I'm looking right at entries with KCC in them.

If we search with no search term specified, we see all our log lines, e.g. this one:

2025-07-22T13:38:33,460Z INFO http-nio-8080-exec-1 c.x.x.filter.AccessLogFilter [correlationToken:KCC-205ZHEUAGM-659243788] => WebApi AccessLogger: path:/x/getM...

If we search for "WebApi" it finds this row. If we search for "KCC" it finds nothing. Also tried "KCC" and 'KCC' Basically we want to search on the correlationToken, but neither KCC-205ZHEUAGM-659243788 nor 'KCC-205ZHEUAGM-659243788' nor "KCC-205ZHEUAGM-659243788" nor "KCC-205ZHEUAGM-659243788" nor KCC 205ZHEUAGM 659243788 will find rows with that value.

Is this normal? It makes using elastic to search logs almost useless.

We have it self hosted, so its an older verrsion.

2

Hi @nutmix

What version?

There are 2 fundamental items to understand your issues

  1. What is the mapping for the field you are search? Please share the mapping

  2. EXACTLY how are you searching

Are you searching in Discover? If so Exactly how?

Are you searching via DSL (query language?) if so exactly how

Share these items. Perhaps we can help.

You can check the tokenization with

It is probably the standard tokenizer

The standard tokenizer provides grammar based tokenization (based on the Unicode Text Segmentation algorithm, as specified in Unicode Standard Annex #29) and works well for most languages.

POST /_analyze
{
  "analyzer": "standard",
  "text": "2025-07-22T13:38:33,460Z INFO http-nio-8080-exec-1 c.x.x.filter.AccessLogFilter [correlationToken:KCC-205ZHEUAGM-659243788] => WebApi AccessLogger: path:/x/getM"
}

You will get back the tokens...

{
  "tokens": [
    {
      "token": "2025",
      "start_offset": 0,
      "end_offset": 4,
      "type": "<NUM>",
      "position": 0
    },
  ...
This is the token it is not broken up on : as part of the standard analyzer / tokenizer so they come together
    {
      "token": "correlationtoken:kcc",  
      "start_offset": 81,
      "end_offset": 101,
      "type": "<ALPHANUM>",
      "position": 12
    },

BUT IT DOES TOKEN on -

    {
      "token": "205zheuagm",
      "start_offset": 102,
      "end_offset": 112,
      "type": "<ALPHANUM>",
      "position": 13
    },
    {
      "token": "659243788",
      "start_offset": 113,
      "end_offset": 122,
      "type": "<NUM>",
      "position": 14
    },

This is why your searches do not work.

Your option are

  1. Change the tokenizer or build a custom one
  2. Change the way you search.... message : "correlationtoken:KCC"
  3. On ingest replace : with a - or something that will separate the tokens.
  4. :slight_smile: Or as Mark offers below... wildcard
3

This is exactly the sort of issue the wildcard field was created for: Find strings within strings faster with the Elasticsearch wildcard field | Elastic Blog

1 Like
4

Thanks for the reply.

1 Like