How to use reserved escape and wildcard at same time


(joseph mao) #1

I am new to this, and need help to generate a filter in Kibaba

my message field has format like below,

time="2018-02-22 11:47:39" level=error msg=error TxID=JMAOAPI-PRD-DP01-323945624 elapsedTime=13.448852ms position=exit r.Method=GET statusCode=502

statusCode is the HTTP error code

I want to filter 5xx statusCode, so I use:

{
  "query": {
    "query_string": {
      "analyze_wildcard": true,
      "default_field": "message",
      "query": "statusCode\=/5[0-9][0-9]/"
    }
  }
}

and always get "Bad String" error
thus have to remove the escape before "=", make it like:

"query": "statusCode=/5[0-9][0-9]/" 

which return result same as

"query": "statusCode" 

Can someone give a clue or answer.
Is there a bug in Kibana around reserved characters?

Thanks in advance !!


(David Pilato) #2

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Please update your post.

That'd be super interesting to parse your logs at index time with a Grok processor to generate a data structure which is much more useful like:

{
  "time": "2018-02-22 11:47:39",
  "level": "error",
  "msg":"error TxID=JMAOAPI-PRD-DP01-323945624",
  "elapsedTime": 13.448852, 
  "position": "exit",
  "method": "GET",
  "statusCode":502
}

Then you can use range queries.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.