How to use slash ('/') to search in Discovery?

Elastic Stack Kibana
1

I'm testing ELK stack for nginx-access logs. It looks good except I have not found a way to search records in Kibana Discovery (v5.3.2) with a path that contains '/test/a'. Search works if I remove slashes, but in this case, I get more records that I need (ff/testtt/sss, '/ololo/oolo?testtestt', ...)

I tried different requests:

path:/\/test\/a/
path:/\\/test\\/a/
path:"/test/a"
path:"\/test\/a"
path:"\\/test\\/a"

but nothing works as I expect.

Records:

[
{
    ...
    "path": "/test/a1"
    ...
},
{
    ...
    "path": "/test/a2"
    ...
},
{
    ...
    "path": "/ololo/ololo?testtest"
    ...
},        
]

Mapping:

"path": {
  "type": "string", 
  "index": "analyzed", 
},

Is there any way to search using slashes as part of pattern?

2

The issue is because the field is being tokenized using the standard analyzer. If you have a non-analyzed version you can search for an escaped substring.

Here my query is being tokenized so the slash gets removed, and the tokens match the tokens in the field, but not the slash (so as you mention, it will match more than you want)

Screen Shot 2017-07-10 at 9.32.58 AM.png2958×1164 394 KB

Here I am searching on the non-analyzed version of the field, so I can search an exact substring. Using * in the query causes the query to not be analyzed to my slashes are preserved.

Screen Shot 2017-07-10 at 9.33.16 AM.png2688×1386 435 KB

Here you can see the two fields are indexed differently:

Screen Shot 2017-07-10 at 9.27.12 AM.png2132×644 44.3 KB

Hope this helps!

1 Like
3

For anyone else interested, this question was also answered on stackoverflow.com and the solution given seemed to work:

1 Like
4

I don't have path.raw field, hot to create it?

5

You can create path.raw by changing path field to be a multi-field, so it has both the analyzed and non-analyzed versions. Doesn't have to be raw. You can read more about setting that up here: https://www.elastic.co/guide/en/elasticsearch/reference/5.5/multi-fields.html#multi-fields.

If you don't need the analyzed version though, you can also just change path to be non analyzed.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.