How to search punctuation in the discover page?

lin_hiro · February 26, 2018, 10:04am

I search message:"<-- 500"

if I want to search message:"<-- " there is no result. I try message:"<--", also no result.
why??
thanks.

bhavyarm · February 27, 2018, 7:21pm

@tsullivan s going to take this one

tsullivan · February 27, 2018, 9:46pm

Hi!

Most likely this is a case where <-- can't be searched because those characters aren't picked up by the analyzer that processes the message at index time. The 500 is tokenized, but the <-- isn't.

Elasticsearch has an API to test the standard analyzer, which allows you to see the tokens that are found in a message. Try this in Console:

POST _analyze
{
  "analyzer": "standard",
  "text": "hello <-- 500"
}

The result looks something like this:

{
  "tokens": [
    {
      "token": "hello",
      "start_offset": 0,
      "end_offset": 5,
      "type": "<ALPHANUM>",
      "position": 0
    },
    {
      "token": "500",
      "start_offset": 10,
      "end_offset": 13,
      "type": "<NUM>",
      "position": 1
    }
  ]
}

There are a few options you have to enable this workflow, but the solutions will all be steps to take in the setup of this index.

One option is to create a template that applies to newly created indices in this pattern, and specify a custom analyzer, using a tokenizer that will recognize those characters as a token. The whitespace tokenizer will do that:

POST _analyze
{
  "analyzer": "whitespace",
  "text": "hello <-- 500"
}

Another option is to add a field that can be searched on, only for documents with a message that has those characters. In other words, you can create an ingest node pipeline with a grok pattern that looks for <-- in incoming data. When it finds the match, it can add a field that will help you find all those documents in a search.

lin_hiro · February 28, 2018, 4:00am

@tsullivan thanks very much, it's OK now.
And Here's another question to ask, when I search in Dev Tools tab and set size:500

sometimes, the kibana will become Red,

Is it due to timeout or too much cold data?
thanks.

tsullivan · February 28, 2018, 6:13am

If Kibana status is "red," it means that one or more of the plugins have a red status. You gave a cropped screenshot of the status page, but on that same page will be a table of all the plugins and their status. If any of them aren't green, there will be a status message that should have some helpful info.

lin_hiro · February 28, 2018, 8:18am

thanks very much

system · March 28, 2018, 8:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.