I have a kibana visualization that shows the counts of clicks on a field that contains a url as value. I want to filter the data that contains the particular url. For e.g : I am having a field namely "pageUrl" and values like pageUrl:"http://example.com" pageUrl:"http://example.com/page1" pageUrl:"http://example.com/page1/test" etc. When I am searching for pageUrl:"http://example.com/page1" it only shows the records that contains the exact url (in the above case it will fetch only one record i.e pageUrl:"http://example.com/page1") whereas I want it to show all the records that contains the given url i.e.(pageUrl:"http://example.com/page1/" pageUrl:"http://example.com/page1/test") both of the records should be shown. I am using Kibana-6.2.3 and elasticsearch 6.2. I am new to elasticsearch and kibana. Thanks in anticipation.
Hi, I am guessing that the pageUrl field is mapped as keyword in Elasticsearch. In other words, it isn't analyzed text.
You can use a wildcard query to search for URLs that begin with the same address. For example:
pageUrl:http://example.com/*
You can also create a filter that can be saved into a search, or pinned and re-used across different Kibana apps:
It's recommended to use trailing wildcards only for searching for substrings. Leading wildcards have serious performance issues due to the fact Elasticsearch has to process the field from every doc.
Hi Tim,
Thanks for your quick reply and suggestion. But I am not able to understand the difference between the search string pageUrl:http://example.com/ and pageUrl.analyzed:http://example.com/ as the search string that we are using is pageUrl.analyzed:http://example.com/ .
In addition to it is there any other way to get this done without using an explicit filter .
I mean if any change made to the mapping can help?
Thanks
Hi, analyzed text mapping is for fulltext search. For example, if you had a lot of biography data, and you needed to find the biographies that have certain words, phrases, topics, etc - you would want analyzed text. You don't want analyzed text mapping for doing log analysis.
The mapping of the logs should be plain keyword, not multi-field. If the field has pageUrl.keyword and pageUrl.analyzed, then it is multi-field.
https://www.elastic.co/guide/en/elasticsearch/reference/current/multi-fields.html#multi-fields
Trying to do wildcard search on pageUrl-as-analyzed text is not going to work, because the Elasticsearch tokenizer breaks up the string for full-text search, which is not what you want in your data.
When you filter pageUrl:http://example.com/, I'm not entirely sure if that references the keyword part by default. The multi-fields mapping will lead to other instances of confusion for Kibana, too.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.