I am sending metric via metricbeat to ES 5.4.0. But while hitting the below query in kibana, I am getting unexpected results.
system.filesystem.used.pct :>0.9 NOT system.filesystem.mount_point: "/home_dir/*"
NOT system.filesystem.mount_point: "/"NOT system.filesystem.mount_point: "/apps/logs"
After this query, I expect that search results should not contain results with mount_point: /
But, i see them too in search results.
Very strange, I tried a similar query, but it works as expected for me:
What happens if you simply query for NOT system.filesystem.mount_point:\/ and system.filesystem.mount_point:\/? Do you get different results?
Can you post a screenshot of that field? I want to make sure it's not analyzed
I see, in my case it is analyzed. I have another field system.filesystem.mount_point.keyword which is not analyzed and when I try to search with that it is working fine.
I dont understand how a field being analyzed can result in this while querying.
For both of these, i get no results.
Ah, the issue is because your field is analyzed. When the field is analyzed, it considers the / to indicate a new token (like the space character), so that the slash isn't indexed and can't be searched on. Can you change the field to not be analyzed? Did you manually change that? When I ran metricbeat v 5.4.3, the field was non-analyzed by default.
No, i didnt change it manually. Infact i did not mention anywhere in my config for the field to be analyzed or not. I am using metricbeat 5.2.0 and passing it on to ES 5.4.0 via logstash 5.4.0.
I recommend upgrading metricbeat to match the versions for the rest of the stack.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
