I've got some indices where documents contain a field called username . Sometimes the value is a username, like bob or alice and often the value is -. What's a KQL query that will return documents where the value of username is not - ?
not username:"-" doesn't work and nor does not username:"\-"
(I'm not looking at that thing where Kibana sometimes shows - for a field value because the field doesn't exist in a document and thinking the value is -, I have checked the JSON view of documents, the field exists, it's value is -.)
The easiest way is to find a document in Discover where you have the value of - and then click on the magnifying glass with the minus sign it. That will filter out documents with that value.
As for what I thing was wrong in that query it might be because you have to use NOT as KQL is case sensitive.
The icon doesn't look like a magnifying glass but I know the one you mean. And it is easy. And it causes Kibana to show that it has added the desired filter
But it does not do anything. The number of hits Kibana reports does not change with the filter applied. Nothing is actually filtered out.
says
KQL supports or, and, and not. By default, and has a higher precedencethan or. To override the default precedence, group operators in parentheses. These operators can be upper or lower case.
I've tried "not" and "NOT" (with queries that do not involve a value of -) and got the same results.
@stephenb I refer you to the last paragraph of my original post. I am aware that in scenarios such as the one you show in your screenshots Kibana will show - for a field value to indicate that the field does not exist in that document. I am working with indices in which some documents contain a field with a value of -. Here is a part of the JSON I get if I request such a document with curl via the Get API.
username.keyword is the answer, thanks! (An answer with an irritating feeling of déjà vu. )
No beats are involved, various systems are sending JSON to a Logstash tcp input and we have an index template that was loaded by our configuration management. username is indeed type text
which we have because sometimes usernames look like domain\bob and we want those to be returned by a search for username:bob (hence username can't be keyword).
So not username.keyword:"-"
removes documents where the value is - and not username.keyword:"-" and not username.keyword:""
also removes documents where the value is (for what I assume are really good reasons…) a zero length string like this
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.