Hi,
I am trying to query inside the message to search for anything that contains 'HTTP STATUS' But id like to query to find all results that begin with 4 i.e status=404 or if status=400.
I can search for a singular one by doing this - message : "STATUS=404"
However if i change it to just 4 i get no results. Is there a way to be able to search for if the message contains STATUS=4 that will come back with any results that begin with 4?
Hi @mbuchan74, Welcome the Elastic community.
It seems you are using Kibana Query Language. You can use wildcard like below
STATUS=4*
let me know if you're using any other query language.
That being said if it's a number I'd do something like:
STATUS >= 400 AND STATUS < 500
Hi i get no results from this, tried it standalone and with message : before it
To confirm the only place the HTTP STATUS=XXX shows up is in the message field.
Hi ,
Hi i get no results from this, tried it standalone and with message : before it
To confirm the only place the HTTP STATUS=XXX shows up is in the message field
You should extract the data from the text and create a structured document that will be then fast and more precise to use...
If you are using all the default behavior, I guess that message is a text field. May be you have a message.keyword field as well?
In which case, you could try something like:
message.keyword="*STATUS=4*"
But I'm really unsure and anyway that's definitely not the best way to use Elasticsearch...
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.