Kibana partial/substring matches are not working

Rakesh_B · August 21, 2020, 2:59am

Hi,

Setup: Elasticsearch version 7.6.1
field name is log, here is the config in index template:

        "log": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },

Partial match doesn't work in KQL and Lucene:

Screen Shot 2020-08-20 at 7.53.46 PM2224×380 37.3 KB

Screen Shot 2020-08-20 at 7.53.28 PM2214×366 33.5 KB
Another question:
It works if I put a wildcard like this in both KQL and Lucene log: *RedisConnectionFailureException but when put double quotes it doesn't work even with a wildcard
Screen Shot 2020-08-20 at 7.52.34 PM2260×390 36.7 KB

We are trying to do a partial/substring search in Kibana UI but we are not getting any results, it seems to works only with wildcard expressions. Can you please tell us how to enable it OR let us know if we are doing anything wrong?

wylie · August 24, 2020, 4:28pm

I can help you with the syntax and general understanding of what is happening with these queries.

It looks like you're expecting partial matches on substrings without whitespace. This is not the default behavior of Elasticsearch, and you need to implement a different text analysis configuration to get this without wildcards.
Wildcards work the way you'd expect, which is that if you have a single token like **Production**RedisConnectionFailureException, then a wildcard can match the missing prefix like *RedisConnectionFailureException.

You have already figured out the correct syntax for wildcards. The syntax you used in the last example, without double quotes, is correct for KQL.

I notice that you are multi-mapping this field, so you have both log and log.keyword fields, but you aren't searching log.keyword. You may want to read up on mapping options.

system · September 21, 2020, 4:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.