Kibana query string length limitation?

brandondash · December 6, 2017, 6:53pm

I have a search that returns several tens of thousands of entries. I have one of the fields separated out as userID. In the userID string there exists a user's organization. There are a LOT of these organizations. For purposes of this question, we'll say each letter of the alphabet is an organization. So a sample userID would look something like this

Jonathan (Jon) Doe from A org

I would like to run an ad hoc query that returns users who belong in only... let's say 18... of of the organizations. My kibana query string looks roughly like this:

+type:"my-type" +"user is doing an event" !(userID: "A" "D" "E" "F" "M" "R" "S" "W")

The query works for the first several orgs I put in this list, but at some point the query just kinda... stops matching. The initial orgs are stripped from the results as expected, but eventually it stops filtering the results, so that given the above query I'll still get results like:

brandondash from W org

If I get rid of all the other orgs and only have "W" it successfully filters. It seems that the problem is related either to the length of the query string or the number of terms I am applying. What am I doing wrong?

LeeDr · December 6, 2017, 7:18pm

Hi Brandon,

Can you check the Request that Kibana is sending to Elasticsearch? I just want to make sure Kibana is sending the query we expect.

In Discover, click the little arrow to show the spy panel. Then select Request.

Thanks,
Lee

brandondash · December 6, 2017, 7:32pm

{
  "highlight": {
    "pre_tags": [
      "@kibana-highlighted-field@"
    ],
    "post_tags": [
      "@/kibana-highlighted-field@"
    ],
    "fields": {
      "*": {}
    },
    "require_field_match": false,
    "fragment_size": 2147483647
  },
  "query": {
    "bool": {
      "must": [
        {
          "query_string": {
            "query": "+type:\"my-type\" +\"user is doing an event\" !(userID:\"A\" \"D\" \"E\" \"F\" \"M\" \"R\" \"S\" \"W\")",
            "analyze_wildcard": true
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": 1508644800000,
              "lte": 1511067599000,
              "format": "epoch_millis"
            }
          }
        }
      ],
      "must_not": []
    }
  },
  "size": 0,
  "sort": [
    {
      "@timestamp": {
        "order": "desc",
        "unmapped_type": "boolean"
      }
    }
  ],
  "_source": {
    "excludes": []
  },
  "aggs": {
    "2": {
      "date_histogram": {
        "field": "@timestamp",
        "interval": "1d",
        "time_zone": "America/New_York",
        "min_doc_count": 1
      }
    }
  },
  "stored_fields": [
    "*"
  ],
  "script_fields": {},
  "docvalue_fields": [
    "@timestamp"
  ]
}

LeeDr · December 6, 2017, 9:15pm

I don't think it's the length of the query string. I was able to use a query string like this just fine;

!(geo.src: "ID" "BD" "NP" BR PH CN CA AO IN US GT DE PK HK CI ET KZ IR MM SD CO KE RU JP LK GB UZ LY "FR" "KR" PL KR BE EG TH TN UA ZM UY VE)

When you say;

Are you saying that the userID field of that result is W?

When you say

Do you mean that the userID is a field in your index, or did you create a scripted field for it in Kibana?

Regards,
Lee

system · January 3, 2018, 9:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.