Hi Elastic community! I am currently developing tagger analyzer rules for timesketch. For the rules I am supposed to use query_string, which is a mini language of Query string. I was trying to check something that contains '@hotmail.com', but I wasn't able to get any hits. The things I have tried are the below but none of them worked. Does anyone know how escape character for '@' or '-' work?
query_string: '_exists_:email AND NOT email:*@hotmail.com*'
query_string: '_exists_:email AND NOT email:*\@hotmail.com*'
query_string: '_exists_:email AND NOT email:*\\@hotmail.com*'
When you index a document with a "text" field, Elasticsearch applies the text analyzer process, which by default includes tokenization and conversion to lowercase.
The "text" field is processed by the default analyzer, which breaks the text into tokens based on spaces and punctuation marks. For example, xpto@hotmail.com can be broken into tokens like "xpto" and "hotmail.com".
When you use query_string with wildcards, Elasticsearch does not apply the same analyzing process to the query that was applied to the field during indexing. In this case, *@hotmail.com* does not exactly match any of the tokens that were indexed.
If you need to perform exact searches like this, consider storing the email in a keyword field. That way, the field value will be stored exactly as provided, without analizer.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.