Dear all
I have a question using the KQL to query for special char in kibana
it is like this, i have 2 data that have 2 field like this "test test" and "TEST+TEST"
when i type to query for "test test" it match both the "test test" and "TEST+TEST"
Is there a way to query for "test test" only or to discard the + in the query in kibana KQL
thank for your time
@lusynda, the easiest way to do this would probably run this search on the keyword field. on analyzed fields, it will use the inverted index, where you lose some of the exact context.
so e.g.: if you create this index dev-console:
PUT foobar
PUT foobar/_doc/0
{
"prop": "test test"
}
PUT foobar/_doc/1
{
"prop": "TEST+TEST"
}
You can these exact match searches
prop.keyword :TEST+* => matches TEST+TEST
prop.keyword :"test test" => matches test test
prop,keyword:"TEST+TEST" => matches TEST+TEST
thank you for your response
Yes well but the problems is that the doc that i have, in front of the word "test test" there are a bunch of random string, there is really no way for me to know what string is it so that why i couldnt use the keyword to query.
Are there any thing that could help me?
thanks for info, makes sense.
Wildcard searches don't work at the beginning of the string when using the Lucene or KQL query syntax (https://lucene.apache.org/core/2_9_4/queryparsersyntax.html#Wildcard%20Searches). It's a limitation of the language.
You could do regex searches directly against Elasticsearch using the query-DSL (https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-regexp-query.html), which would allow this, but this is not directly supported in the Kibana UI.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.