How to search punctuation in the discover page?

Elastic Stack Kibana
1

I search message:"<-- 500"

image
image.png775×67 2.06 KB

image
image.png1514×117 9.49 KB

if I want to search message:"<-- " there is no result. I try message:"<--", also no result.
why??:disappointed_relieved:
thanks.

2

@tsullivan s going to take this one :slight_smile:

1 Like
3

Hi!

Most likely this is a case where <-- can't be searched because those characters aren't picked up by the analyzer that processes the message at index time. The 500 is tokenized, but the <-- isn't.

Elasticsearch has an API to test the standard analyzer, which allows you to see the tokens that are found in a message. Try this in Console:

POST _analyze
{
  "analyzer": "standard",
  "text": "hello <-- 500"
}

The result looks something like this:

{
  "tokens": [
    {
      "token": "hello",
      "start_offset": 0,
      "end_offset": 5,
      "type": "<ALPHANUM>",
      "position": 0
    },
    {
      "token": "500",
      "start_offset": 10,
      "end_offset": 13,
      "type": "<NUM>",
      "position": 1
    }
  ]
}

There are a few options you have to enable this workflow, but the solutions will all be steps to take in the setup of this index.

One option is to create a template that applies to newly created indices in this pattern, and specify a custom analyzer, using a tokenizer that will recognize those characters as a token. The whitespace tokenizer will do that:

POST _analyze
{
  "analyzer": "whitespace",
  "text": "hello <-- 500"
}

Another option is to add a field that can be searched on, only for documents with a message that has those characters. In other words, you can create an ingest node pipeline with a grok pattern that looks for <-- in incoming data. When it finds the match, it can add a field that will help you find all those documents in a search.

4

@tsullivan thanks very much, it's OK now.
And Here's another question to ask, when I search in Dev Tools tab and set size:500

image
image.png742×357 10.9 KB

sometimes, the kibana will become Red,
image
image.png1526×348 24 KB

Is it due to timeout or too much cold data?
thanks.

5

If Kibana status is "red," it means that one or more of the plugins have a red status. You gave a cropped screenshot of the status page, but on that same page will be a table of all the plugins and their status. If any of them aren't green, there will be a status message that should have some helpful info.

6

thanks very much :grinning:

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.