How to include "+" as part of search in Kibana

Elastic Stack Kibana
1

Hi friends,

I'm trying to find docs that have timestamps of a particular time zone e.g. +13:00 but having trouble matching it properly.

It is matching times without the "+" in front.

I have a text field called message.content with the following mapping


{
  "wj-1": {
    "mappings": {
      "message.content": {
        "full_name": "message.content",
        "mapping": {
          "content": {
            "type": "text"
          }
        }
      }
    }
  }
}

Ingested following

POST wj-1/_doc
{
  "message":{
    "content": """{"someother time: 13:00 start: 2024-03-12T00:00:07+12:00 end"}"""
  }
}
POST wj-1/_doc
{
  "message":{
    "content": """{"someother time: 12:00 start: 2024-03-12T00:00:07+13:00 end"}"""
  }
}

I searche using Kibana Discover

message.content : "+13:00"

And got the response

    "hits": {
      "max_score": null,
      "hits": [
        {
          "_index": "wj-1",
          "_id": "mZb5No4B31f8CUBVXruD",
          "_version": 1,
          "_score": 0.9684832,
          "fields": {
            "message.content": [
              "{\"someother time: 13:00 start: 2024-03-12T00:00:07+12:00 end\"}"
            ]
          },
          "sort": [
            0.9684832
          ]
        },
        {
          "_index": "wj-1",
          "_id": "mpb5No4B31f8CUBVXrvV",
          "_version": 1,
          "_score": 0.9684832,
          "fields": {
            "message.content": [
              "{\"someother time: 12:00 start: 2024-03-12T00:00:07+13:00 end\"}"
            ]
          },
          "sort": [
            0.9684832
          ]
        }
      ]
    }

I only want mpb5No4B31f8CUBVXrvV since it have +13:00 and not mpb5No4B31f8CUBVXrvV as it only have 13:00

Also tried to query differently:

message.content : "\\+13:00"

Same result as above

message.content : *+13\:00*

No result

Help would be appreciated, thanks.

2

Hi @willie_0983,

You should be able to escape characters in your query using a single backslash "". Does that give you the single result you want?

3

HI Carly, that's for the suggestion but escaping with a backslash "\" did not make a difference

Screenshot 2024-03-14 at 8.58.24 AM
Screenshot 2024-03-14 at 8.58.24 AM1082×289 23.9 KB

4

Hi @willie_0983,

Welcome to the community!

The field should be keyword type. Then you can add a filter in Query DSL format (wildcard or regexp). Examples:

{
  "query": {
     "wildcard": {
        "message_content.keyword": {
          "value": "*+13*"
        }
     }
  }
}

{
  "query": {
    "regexp": {
      "message_content.keyword": ".+\\+13.+"
    }
  }
}
5

Changing the type from "text" to "keyword" works

Much appreciate the help.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.