Issue with KQL string query that has colon

I'm trying to construct a simple query to match all logs lines that start with "Error: ", but when I try to search for this string, all lines that include the word 'error' (not case sensitive) anywhere in the string are returned. It doesn't seem to do anything with the colon in the string. I'd love it be case sensitive and take the colon into account with the query. If I can somehow indicate that the text should start with this string, that would be even better.

According to the KQL documentation, if I'm reading it right (https://www.elastic.co/guide/en/kibana/7.1/kuery-query.html), I should be able to use this query to accomplish what I'm looking for:
log_text: "Error: "

But it doesn't return what I described. I tried a number of variations of this as well, hoping someone can guide me in the right direction here, I feel like I'm missing something minor. Thanks in advance.

Hi Thomp,

Is log_text a text field or a keyword field?

Yep, it's a text field. I have a text and keyword version of the field. The keyword version is called log_text.keyword.

Since text fields are analyzed, whatever you search will also be analyzed and special characters will be stripped.

In other words, even if you had other special characters in your query against log_text, you'd still get matches (since they're filtered out).

What you really want is to search against the keyword version of the field. I think you'll want something along the lines of

log_text.keyword: Error\:*

The * is a wildcard that means "anything after this", and the \ escapes the colon so that it actually becomes part of the query.

This did the trick, thanks so much!

I use keyword fields only for full text matches most of the time and it didn't occur to me that I could do a filter like this against it, but this is precisely what I needed.

Appreciate the help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.