One of the fields of the index I'm querying is 'sessionid' , it also has a sessionid.keyword field variant.
Values contain a colon. Examples:
What I'm trying to accomplish is a filter in the KQL-query bar like this:
sessionid.keyword: (136\:11 , 99\:5)
The backslash is to interpret the colon as an actual character (thnx to Issue with KQL string query that has colon)
But Kibana doesn't find anything even though I know that there are hits.
Using just one value works fine, e.g.
What does work is using the 'or' operator -->
sessionid.keyword: (136\:11 or 99\:5)
However I would like to use a comma separated alternative because I'm constructing this condition from code (Powershell) to be executed on the Elastic/Kibana REST search api. A comma separated statement is easier to make than an OR-construction in which case you need to create nested statements (bool ... should ... match ... etc.) for each value.