Filter in Kibana Visualization on values with spaces in it

Philbert · March 15, 2021, 4:15pm

We use Kibana to analyse the HTTP logs of on our CDN.
One important field is the user agent. From the user agent I can see which device was requesting an HTTP request from the CDN.

I would like to gather statistics on how much each device type uses our services. Therefore, in a visualization, I create filters with this format:
c_user_agent: <first n characters of the user agent>*

This does not require nor accept the user agent string to be in quotes, but it fails because the user agents of our own devices actually have spaces in them. Their format is something like this:
<device type family>/<version> <device type><more stuff>
Notice the space between the version and the device type.

It doesn't appear to be possible to escape this space in Lycene or KQL, at least not with a backslash.

Is there any other way to do this?

lukeelmers · March 15, 2021, 8:28pm

What version of Kibana are you using?

KQL should still be able to search on a field where values contain spaces, as long as it is using a text multifield (not keyword). Searches containing spaces must be quoted.

agent: Foo*
// or
agent: "Foo bar"

Philbert · March 16, 2021, 10:36am

I'm using version v 7.8.1

I am not doing a search in the search bar, but trying to create filters, like this:

So the actual user agents are longer, as there is some more variation that is irrelevant to me and that I would like to aggregate.

Ideally, I would also like to wildcard the "29" and "30" so that the various software versions on the same device types are grouped.

system · April 13, 2021, 10:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.