Hi, trying to determine why a field isn't matching wildcard searches in our log data in Kibana alerting. We're on the elastic cloud stack, v7.9.2.
We need to add an AND condition for this particular log search and with * added for the NOT pmanqa text, the search is still matching log entries with awscloudwatch.logstream matching pmanqa*. Wondering what we need to add (double quotes, escape or different wildcard matching?) so log entries with awscloudwatch.logstream matching pmanqa don't trigger this alert. Screen caps attached, thanks.
Hi,
the search is still matching log entries with awscloudwatch.logstream matching pmanqa*. Wondering what we need to add (double quotes, escape or different wildcard matching?)
I expect the confusion here is arising from the expectation of wildcard functionality. This isn't currently supported but we do have a ticket here: https://github.com/elastic/kibana/issues/74130.
There is documentation here on which Elasticsearch query types map to which comparators.
There are also some example queries here which show how alerts are translated into Elasticsearch queries. The queries do vary from Discover, so this can be useful to see.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.