Kibana cannot search the string that input in Discover page

Hi, everyone!
The following is my question：
Env:
Filebeat 5.5.1
Elasticsearch 5.5.1
Logstash 5.5.1
Kibana 5.5.1
OS : Linux 64bit

I use Filebeat as shipper to ship log to logstash, then output to Elasticsearch. Use Kibana as UI to search log.
But it seems that Kibana cannot search what i input in Kibana:
For example, when i search "/admin/em" in the following log sample, the string "/admin/em" cannot be found, but it exists in log indeed. So i am confused!!! The following is my log sample:

03/Aug/2017:00:26:47 -0700|52.9.101.47|GET /admin/email/markedAsRead?uuid=3211755339325447&type=2&tag= HTTP/1.1|200|-|66.102.8.56|Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko Firefox/11.0 (via ggpht.com GoogleImageProxy)|-|chime.me|845|0.018|0.018|172.31.21.87:28080|29917549|1|a2904ffe-29a8-471a-825c-6d03fbe745f8

The following is my logstash config:

input {
beats {
port => 5044
}
}
filter {
ruby {
code => "
event.timestamp.time.localtime
tstamp = event.get('@timestamp').to_i
Time.at(tstamp).strftime('%Y-%m-%d')
"
}
}
output {
if [business] == "nginx" and [type] == "access" {
file{
path => "/home/ec2-user/realtime_log/nginx/nginx-access.%{date_str}"
codec => line { format => "%{message}" }
}
elasticsearch {
action => "index"
hosts => "http://log.a.b.c.com:9200"
index => "nginx-access-%{date_str}"
}
}
}

Can you post a screenshot of Discover when you are searching for the field? Also, what type of field are you searching on? Is it analyzed?

One thing I can think of is if you are using an analyzed query on a non-analyzed field, the analyzed query would drop the "/"s but the non-analyzed field would retain them.

Or it's something much simpler like your time range is not encompassing your data span. Hence some screenshots would be helpful. Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.