Discuss the Elastic Stack

In kibana(KQL), In the message field need to combine two conditions

Elastic Stack Kibana

souji (souji) November 2, 2021, 3:25am 1

Have text message like below in my index

"POST /app/v1/fetch/abcdefgh HTTP/1.1" 404 NR route_not_found - "-" 0 0 0 - “10.0.0.0” “example.xxx.xxx.com" "-" - - 10.10.10.1:80

"POST /app/v1/fetch/abcdefgh HTTP/1.1" 200 route_not_found - "-" 0 0 0 - “10.0.0.0” “example.xxx.xxx.com" "-" - - 10.10.10.1:80

"POST /app/v1/fetch/abcdefgh HTTP/1.1" 200 route_not_found - "-" 0 0 0 - “10.0.0.0” “example.xxx.xxx.com" "-" - - 10.10.10.1:80

How can search from kibana only to get the records for other than 200 means errors and has example keyword

warkolm (Mark Walkom) November 2, 2021, 5:33am 2

Ideally you would be extracting the fields during index time, using an ingest pipeline or similar.
If not, you can try to use a runtime field to pull the events apart and put them in their own fields. But it's likely to be a lot clunkier.

I'm not sure if kql can pull this apart like you want.

souji (souji) November 2, 2021, 12:15pm 3

thank you

system (system) Closed November 30, 2021, 12:15pm 4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views	Activity
How to write two queries in kibana search bar Kibana	5	958	July 6, 2017
Searching in kibana only specific to a field Kibana	3	690	July 6, 2017
KQL search problem Kibana kql-kibana-query-language	4	9246	June 1, 2020
Strict search in Kibana Kibana	4	293	December 28, 2020
How to compare the value of two fields? Kibana	1	1757	July 6, 2017

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.