Hello,
Now, I try to select some lines in my logs which begins with "Request finished"
message:Request*
message:Request finished* or message:"Request finished*" or message:Request finished or message:Request?finished*
message:Request\ finished*
Do you see a way to search it easilly trought KQL ?
Exemple of message I want to match :
Request finished HTTP/1.1 GET http://staging-wmsdevplatform.fmlogistic.fr:5000/api/Size/GetSupportQuantity?activityCode=SDO&depositCode=ECR&supportNumber=336042896110201330 application/json - - 404 0 - 17.1080ms
AClerk
March 16, 2021, 11:41pm
2
I found KQL not to work well with wildcards. Never managed to make it work as I expect it.
{
"query": {
"wildcard": {
"message": {
"value": "ki*y",
"boost": 1.0,
"rewrite": "constant_score"
}
}
}
}
Another option is a scripted field.
Thank you for your answer AClerk,
the fact is that I searched for a KQL syntax in order to use it easilly trough kibana.
Perhaps I will change elastic mapping and transform my field :
"message": {
"type": "wildcard"
},
into
"message" : {
"type" : "text",
"fields" : {
"keyword" : {
"ignore_above" : 256,
"type" : "keyword"
}
}
}
But I does not achieve to find which impact it will have on my data in term of search performance & database size
AClerk
March 22, 2021, 11:57pm
4
You can predefine a filter and your team can just enable/disable it.
I am not sure of the impact to your cluster after the change.
system
April 19, 2021, 11:58pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
