How to use Kibana Query in 7.1.1

Hi Team,

I'm new to ELK stack and i have successfully indexed the server log data to elastic search and able to view the indexed data in kibana.
I have been trying to search for a certain set of strings in the message field which includes special characters like =,#,/,(,),[,],@ and few more.
I have tried multiple ways to fetch the data I need so that I can create a dashboard.
But I failed in obtaining the required result.

Sample log:
message:2019-07-24 06:56:22,626 INFO [LoggingResponseFilter] OPsjn_FVksuDzQ-N4GY0BMzUAG_0GK61L2pncwZ9hiHAJ29H2N9b!-211948433!1563965780309 AEO_US en_US POST /public/v1/currentUser/Login ([ACTIVE] ExecuteThread: '16' for queue: 'weblogic.kernel.Default (self-tuning)') {thread=Thread[[ACTIVE] ExecuteThread: '16' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads], threadId=91, sessionId=OPsjn_FVksuDzQ-N4GY0BMzUAG_0GK61L2pncwZ9hiHAJ29H2N9b!-211948433!1563965780309,, customerIPAddress=x.x.x.x, User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36, x-forwarded-for=x.x.x.x,} Authentication status=400, CAP Route End: route=/public/v1/currentUser/Login#POST, totalTime=271 ms

The above details are present in the message field. I have been trying to pull the logs which hold the status=400, but I'm receiving the logs which have another status too.

How to query in kibana to fetch the logs which holds the status of 400 alone.
Also, need to know how to search "/public/v1/currentUser/Login" as a single string.

Hey @premkumar, are you looking for documents whose message field contains any of those special characters? If so, are you using Logstash or Elasticsearch's ingest node currently? Searching for the existence of those characters without adjusting your ingest pipeline is going to be incredibly unperformant.

Otherwise, you can use a Regexp query to search for these characters:

Thanks @Brandon_Kobel. It helped me out and gave me some ideas.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.