How to create a comma separated KQL filter of field values with a colon

DanielV · April 18, 2021, 8:06am

One of the fields of the index I'm querying is 'sessionid' , it also has a sessionid.keyword field variant.
Values contain a colon. Examples:
136:11
99:5

What I'm trying to accomplish is a filter in the KQL-query bar like this:
sessionid.keyword: (136\:11 , 99\:5)
The backslash is to interpret the colon as an actual character (thnx to Issue with KQL string query that has colon)
But Kibana doesn't find anything even though I know that there are hits.
Using just one value works fine, e.g. sessionid.keyword: (136\:11)
What does work is using the 'or' operator --> sessionid.keyword: (136\:11 or 99\:5)
However I would like to use a comma separated alternative because I'm constructing this condition from code (Powershell) to be executed on the Elastic/Kibana REST search api. A comma separated statement is easier to make than an OR-construction in which case you need to create nested statements (bool ... should ... match ... etc.) for each value.

Ryan_Hockstad · April 19, 2021, 12:54am

If you want to search for multiple terms in a simple request, you could use a 'terms' query, which doesn't require you to nest anything in a boolean clause.

DanielV · April 19, 2021, 12:20pm

Thnx for pointing out this query type.
A terms query for my current use case is too restricive (?) as I also need to search for the occurence of specific strings stored in the message field. For the latter I would still need a bool query I think?
So I would need a combo of bool and terms query maybe.

Ryan_Hockstad · April 19, 2021, 3:30pm

Yeah, if you want to do a text search on the message field while filtering on the sessionid.keyword, you'll have to use a boolean clause. Here are some more docs that show this in action. In your case, your query might look something like this:

GET <your_index>/_search
{
  "query": { 
    "bool": { 
      "must": [
        { "match": { "message":   "specific strings" }}
      ],
      "filter": [ 
        { "terms":  { "sessionid.keyword": ["136:11",  "99:5"] }}
      ]
    }
  }
}

This query would search the message field for 'specific strings' of docs with the sessionid.keyword of 136:11 and 99:5. If you want to search on all docs except those with a sessionid.keyword of 136:11 and 99:5, change the word 'filter' to 'must_not' in the query.

system · May 17, 2021, 3:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue with KQL string query that has colon Kibana kql-kibana-query-language	5	10196	November 15, 2019
Query Kibana for strings WITHOUT commas? Kibana kql-kibana-query-language	2	617	September 5, 2023
Using KQL in Filters on Kibana to match strings that "ends with" Kibana	2	692	July 24, 2023
Index patterns - comma-separated list Kibana	3	1381	May 15, 2018
Changed many index field to Keywords now cannot query in KQL Kibana kql-kibana-query-language	3	419	June 1, 2020

How to create a comma separated KQL filter of field values with a colon

Related Topics