How to match a empty value field

neal1991 · January 4, 2018, 3:33am

I am trying to search the exchange logs in kibana. And sometimes there are some data just like:

2017-10-05 23:59:56 10.100.1.22 OPTIONS /Microsoft-Server-ActiveSync/default.eas - 443 hdqsmsg01\sjzznhf 106.114.181.40 - 401 1 1326 78

And - will be a field means the field is empty, it will be indexed too. But I have not found a valid way to use filter to filter them. I have found that I can use !ua: [* TO *] to search them.(assume the field name is ua) But it will not work in filter in kibana. Or may the way of the filter is not written correctly. And I am confused if the filed is an empty value or other? How to filter them?

Thanks.

rashmi · January 4, 2018, 4:49pm

You can use this filter to Filter in/out the results. Once you save it you can edit the query DSL to see the filter. Let us know if this solves your q. If not, plz revert back. We will have to dig in further to see if this is a bug in our code or something else.

Thanks
Rashmi

neal1991 · January 5, 2018, 1:30am

@rashmi Thanks for your reply. I must have tried this. The filter will try to match "phrase" -

The fiter query DSL is:

{
  "query": {
    "match": {
      "ua": {
        "query": "-",
        "type": "phrase"
      }
    }
  }
}

. It will return no result. And the filter exists or does not exist will not be useful, because the filed does exists. The point is how to match the empty value.

system · February 2, 2018, 1:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.