Kibana query searching for s3.amazonaws.com matches other keys as well unless double quoted

gjws · April 1, 2017, 8:04pm

Hi all,

I've got an ES cluster that contains a heap of AWS events. One of the main fields I would like to search on is eventSource. In Kibana I have a number of filters saved, one of them is:

eventSource:s3.amazonaws.com

When I run this search in the discover field, I also get results for ec2.amazonaws.com which I don't understand. If I wrap the query string in double quotes, such as:

eventSource:"s3.amazonaws.com"

The filter works correctly. Now that I've got it to work, I'd like to understand why the quotes are necessary? Looking at:

eventSource:s3.amazonaws.com
and
eventSource:ec2.amazonaws.com

I don't understand why quotes would be required, can anyone shed some light on the cause?

Thanks!

warkolm · April 1, 2017, 10:21pm

Have a read of https://www.elastic.co/guide/en/elasticsearch/reference/5.3/query-dsl-query-string-query.html#query-string-syntax, it should help.

gjws · April 2, 2017, 6:46am

Thank you for the link, however after reading it I still don't understand the effect I'm seeing. Here are some examples taken from the Dev Tools Console.

Example 1:

GET /cwl-*/_search?pretty
{
"query": { "match": { "eventSource": "s3.amazonaws.com" } }
}
.....
{
"took": 31,
"timed_out": false,
"_shards": {
"total": 60,
"successful": 60,
"failed": 0
},
"hits": {
"total": 41652,
"max_score": 3.0560331,

Example 2:

GET /cwl-*/_search?pretty
{
"query": { "match": { "eventSource": "ec2.amazonaws.com" } }
}
.....
{
"took": 22,
"timed_out": false,
"_shards": {
"total": 60,
"successful": 60,
"failed": 0
},
"hits": {
"total": 41652,
"max_score": 2.9937177,

Example 3:

GET /cwl-*/_search?pretty
{
"query": { "match": { "eventSource": "rds.amazonaws.com" } }
}
.....
{
"took": 18,
"timed_out": false,
"_shards": {
"total": 60,
"successful": 60,
"failed": 0
},
"hits": {
"total": 1249,
"max_score": 7.096842,

Examples 1 and 2 both return the same number of documents, even thought they are completely different search strings.

Example 3, which looks pretty much the same as example 2 in my eyes, returns a completely different number of documents, as I would expect.

If example 3 had returned the same results as example 2 then I would have been less confused, but as it was completely different, I still don't get it!

spalger · April 3, 2017, 7:35pm

Hey @gjws, the queries you show here are not the same as the queries that kibana executes. Is it possible that there is just a one-to-one mapping of s3 and ec2 events that doesn't exist for rds?

gjws · April 7, 2017, 5:49am

Hi @spalger,

Sorry, I've been away for a few days. I'm not sure what you mean by a one-to-one mapping, do you mean the index mappings? How would I verify this?

Thanks!

system · May 5, 2017, 6:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.