Kibana Filter aggregation: how to handle field names (and/or values) with spaces?

I'm having some trouble (with Kibana 6.7) in finding the correct way to handle this situation:
field name: "Closure Code"
possible field values: ["False Positive", "Automatically Closed", "Closed by change", ... ]
I need to visualize them (in a metric) as:

• a) total number of documents
• b) num of docs with "Closure Code" = "False Positive"
• c) num of docs with "Closure Code" != "False Positive" a) - b)

I use a Filters aggregation:
a) *
b) Closure Code : False Positive
c) NOT (Closure Code : False Positive)

but sometimes the b) filter catches some documents with the string "Closure" in its body (in fields other than "Closure Code").

pls note that neither "Closure Code" : "False Positive" nor Closure Code : "False Positive" work: the former return [...]parse_exception","reason":"Cannot parse '\"Closure Code\": \"False Positive\ [...], the latter gets translated to

"query_string": {
  "query": "Closure Code: \"False Positive\"",
  "analyze_wildcard": true,
  "default_field": "*"
}

which actually returns the "unwanted" documents.

Is there a more reliable way to specify the filter in KQL?
( other than reindexing all documents to avoid spaces in fieldnames, I mean )

Thank you for any suggestion,
Paolo

You should reindex the data without spaces in the field names, and make sure the closure_code field is mapped as "keyword".

Later versions of Kibana allow a custom field label, which can be the "human friendly" name. So there really is no need to have a space in the field name.

Thank you, Tim.
I was hoping there was a different solution

BTW, it seems that using %20 instead of space is of some help, at least for the field name:
Closure%20Code: False Positive works slightly better than Closure Code : False Positive.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.