Hello,
When we select this filter
It seems to apply not only to "update", but also for example to "update-security"....
Seems like a bug to me?
Willem
can you check the dsl that is generated ? (click edit query dsl in the filter)
The dsl filter:
{
"bool": {
"minimum_should_match": 1,
"should": [
{
"match_phrase": {
"infoblox_nios.log.dns.category": "update"
}
}
]
}
}
Yes, this is expected, since (I'm assuming) infoblox_nios.log.dns.category is an analyzed field. If you want an exact match, you'll have to use the keyword version of the field.
Honetly I have no clue what you mean this is expected. The filter says "match_phrase", but it doesn't match at all? The field doesn't has a keyword version fyi.
This is expected because this field is mapped as a text field as you can check here.
The field infoblox_nios.log.dns.category is mapped as text so it will be an analyzed field, in this case your query will match any document that has updated on it and not just documents that have only update but no update-security.
To have an exact match you would need the field to be mapped as keyword, you will also not have a keyword field because the mapping for it was not created.
It is not a bug, but in my opinion the mapping for this field seems to be wrong, if this represents a category with values like the ones you shared, this should've be mapped as a keyword field not a text field.
I think you should open an issue in the integrations repository so Elastic can look at it and change the mapping.
You could also try to use a runtime field to make this field behave like a keyword field, but beware that this can have a performance impact.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.