I'm having some trouble (with Kibana 6.7) in finding the correct way to handle this situation:
field name: "Closure Code"
possible field values: ["False Positive", "Automatically Closed", "Closed by change", ... ]
I need to visualize them (in a metric) as:
- a) total number of documents
- b) num of docs with "Closure Code" = "False Positive"
- c) num of docs with "Closure Code" != "False Positive" a) - b)
I use a Filters aggregation:
a) *
b) Closure Code : False Positive
c) NOT (Closure Code : False Positive)
but sometimes the b) filter catches some documents with the string "Closure" in its body (in fields other than "Closure Code").
pls note that neither "Closure Code" : "False Positive"
nor Closure Code : "False Positive"
work: the former return [...]parse_exception","reason":"Cannot parse '\"Closure Code\": \"False Positive\ [...]
, the latter gets translated to
"query_string": {
"query": "Closure Code: \"False Positive\"",
"analyze_wildcard": true,
"default_field": "*"
}
which actually returns the "unwanted" documents.
Is there a more reliable way to specify the filter in KQL?
( other than reindexing all documents to avoid spaces in fieldnames, I mean )
Thank you for any suggestion,
Paolo