Kibana query of reserved characters

perry29 · February 26, 2018, 9:52pm

I am using the Kibana 'filter builder' to create a search like 'uri is x'. The uri field (from Bro http logs) contains this: /auth/spGo.php?assetid=home&supportid=

When I set 'x' to one of these, the search works and finds what I expect (note lack of escaping):
/auth/spGo.php?assetid=home&supportid
/auth/spGo.php?assetid
spGo.php?assetid

When I set 'x' to one of these, the search does NOT work and finds nothing:
/auth/spGo.php?assetid=home&supporti
/auth/spGo.php?asseti
php?assetid

I would like to do search for ?, but using \? does not work either.

Bug? Newbie error? Any solutions?

Thanks,
David

tylersmalley · February 27, 2018, 11:12pm

What is filter builder referring to?

perry29 · February 27, 2018, 11:41pm

Sorry, by filter builder, I mean the "Add a filter +" just below the search box at the top of the "Discover" menu. I am sure there is an official name for this, but I do not know what it is. I have been looking at ELK for about a week and a half, so I have a lot to learn.

perry29 · March 12, 2018, 10:16pm

What is the process to raise this as a possible bug?

perry29 · March 13, 2018, 5:27pm

Kibana version 6.2.2

Topic		Replies	Views
Searching for reserved characters within fields Kibana	3	706	August 19, 2019
KDL filter to exclude results with character? Kibana	0	39	September 5, 2024
How to use reserved escape and wildcard at same time Kibana	2	1813	March 23, 2018
How to search a value by special character Kibana kql-kibana-query-language	18	5290	July 4, 2023
Filter in ElasticSearch in Discover page Elasticsearch	2	436	July 5, 2017

Kibana query of reserved characters

Related topics