How to create a comma separated KQL filter of field values with a colon

DanielV · April 18, 2021, 8:06am

One of the fields of the index I'm querying is 'sessionid' , it also has a sessionid.keyword field variant.
Values contain a colon. Examples:
136:11
99:5

What I'm trying to accomplish is a filter in the KQL-query bar like this:
sessionid.keyword: (136\:11 , 99\:5)
The backslash is to interpret the colon as an actual character (thnx to Issue with KQL string query that has colon)
But Kibana doesn't find anything even though I know that there are hits.
Using just one value works fine, e.g. sessionid.keyword: (136\:11)
What does work is using the 'or' operator --> sessionid.keyword: (136\:11 or 99\:5)
However I would like to use a comma separated alternative because I'm constructing this condition from code (Powershell) to be executed on the Elastic/Kibana REST search api. A comma separated statement is easier to make than an OR-construction in which case you need to create nested statements (bool ... should ... match ... etc.) for each value.

Ryan_Hockstad · April 19, 2021, 12:54am

If you want to search for multiple terms in a simple request, you could use a 'terms' query, which doesn't require you to nest anything in a boolean clause.

DanielV · April 19, 2021, 12:20pm

Thnx for pointing out this query type.
A terms query for my current use case is too restricive (?) as I also need to search for the occurence of specific strings stored in the message field. For the latter I would still need a bool query I think?
So I would need a combo of bool and terms query maybe.

Ryan_Hockstad · April 19, 2021, 3:30pm

Yeah, if you want to do a text search on the message field while filtering on the sessionid.keyword, you'll have to use a boolean clause. Here are some more docs that show this in action. In your case, your query might look something like this:

GET <your_index>/_search
{
  "query": { 
    "bool": { 
      "must": [
        { "match": { "message":   "specific strings" }}
      ],
      "filter": [ 
        { "terms":  { "sessionid.keyword": ["136:11",  "99:5"] }}
      ]
    }
  }
}

This query would search the message field for 'specific strings' of docs with the sessionid.keyword of 136:11 and 99:5. If you want to search on all docs except those with a sessionid.keyword of 136:11 and 99:5, change the word 'filter' to 'must_not' in the query.

system · May 17, 2021, 3:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.