I can't seem to filter on records that contain nothing more than {} in a text field. I've tried all kinds of queries such as the ["{}" TO *] syntax, and even simple NOT property:"{}". Nothing seems to work. I've attached a picture of the data field so that it's clear what I'm trying to isolate.
try -property:"{}"
-- Asaf.
As I mentioned above, I've tested this: -other.finesse.errorInfo.eventDetails.ERROR:"{}". That has no impact on the search :(.
I should have mentioned I tried this: -other.finesse.errorInfo.eventDetails.ERROR:"\{\}". That also doesn't remove these records from the search :(.
Mark - I can reproduce the behavior you describe. I indexed a couple of sample documents with string fields mapped to '{}' and I also cannot do a search for them using field_name:"{}".
As it turns out that, the standard Elasticsearch analyzer drops these characters. You can ascertain this using the following query against your cluster:
curl -XGET 'localhost:9200/_analyze?analyzer=standard&pretty' -d '{}'
{
"tokens" : [ ]
}
How are indexing this data? Is there an option to use another analyzer, e.g. whitespace?
That's a great question, let me get back to you! Thank you for your help.
OK, so we're using the standard analyzer with the dynamic mappings being created by Logstash. It looks like this:
eventDetails: {
properties: {
ERROR: {
type: "string",
norms: {
enabled: false
},
fields: {
raw: {
type: "string",
index: "not_analyzed",
ignore_above: 256
}
}
},I'm shocked that there is no way to search for strings containing special characters like this :(.
There should be if you switch to using another analyzer, such as "whitespace". Have you tried that?
I'm not certain how to do that, I'll do some research today. Thank you for clarifying your original answer :).
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.