How Query string pattern in kibana in simple syntax query space

Currently, we are using ELK stack for analysis of access logs
but we are not able to query specific pattern in field ex
in URL field there I have to filter only those URL how to have
/topic/something-something/public
/topic/something-nothing/public
/topic/something-one-thing/public
/topic/something-anything/public
/topic/something-many-thing/public
etc.
not these
/topic/hello
/topic/world
/public/hello
/public/world

how can I do that in Kibana dashboard's simple syntax query space
I am using ELK stack 6.3.2

Thanks in advance

Hi adg,

The first thing to understand is the difference between text and keyword fields.

text = analyzed (split by spaces and slashes into individual terms)
keyword = unanalyzed, sometimes also called raw (not split)

By example, here's a URL in an index of mine that shows 2 variations. One has .analyzed on the end which is indicating it's text which has been analyzed. That means it was parsed into terms by breaking the whole string up by spaces, slashes, and other non-alpha characters. The other is a keyword which means it's not broken up.

image.png1432×355 20.7 KB

So in Discover, if I want to specify a whole expression to match a URL, I would use that unanalyzed build.console-url field and use backslashes to escape the forwards slashes and the :. I'm leaving a * on the end as a wildcard.

build.console-url:https\:\/\/beats-ci.elastic.co\/job\/elastic+beats+pull-request+multijob-windows*

image.png1682×519 44.1 KB

So if you have the raw field in your mapping, you would use that with a query like;
\/topic\/something-*\/public

This blog doesn't cover escaping the slashes specifically, but has a lot of relevant info on the topic;

Regards,
Lee

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.