I can't seem to filter on records that contain nothing more than {} in a text field. I've tried all kinds of queries such as the ["{}" TO *] syntax, and even simple NOT property:"{}". Nothing seems to work. I've attached a picture of the data field so that it's clear what I'm trying to isolate.
try -property:"{}"
-- Asaf.
As I mentioned above, I've tested this: -other.finesse.errorInfo.eventDetails.ERROR:"{}". That has no impact on the search :(.
{} are special characters in Lucene query syntax, so you have to escape them.
I should have mentioned I tried this: -other.finesse.errorInfo.eventDetails.ERROR:"\{\}". That also doesn't remove these records from the search :(.
Mark - I can reproduce the behavior you describe. I indexed a couple of sample documents with string fields mapped to '{}' and I also cannot do a search for them using field_name:"{}".
As it turns out that, the standard Elasticsearch analyzer drops these characters. You can ascertain this using the following query against your cluster:
curl -XGET 'localhost:9200/_analyze?analyzer=standard&pretty' -d '{}'
{
"tokens" : [ ]
}
How are indexing this data? Is there an option to use another analyzer, e.g. whitespace?
That's a great question, let me get back to you! Thank you for your help.
OK, so we're using the standard analyzer with the dynamic mappings being created by Logstash. It looks like this:
eventDetails: {
properties: {
ERROR: {
type: "string",
norms: {
enabled: false
},
fields: {
raw: {
type: "string",
index: "not_analyzed",
ignore_above: 256
}
}
},
I'm shocked that there is no way to search for strings containing special characters like this :(.
There should be if you switch to using another analyzer, such as "whitespace". Have you tried that?
I'm not certain how to do that, I'll do some research today. Thank you for clarifying your original answer :).