I want to filter it in the logs : message:cod=49 and the result: "No results match your search criteria". I try it like this message:cod?49 the result is same. I try it like this: message:cod=49 the result is Expected AND, OR, end of input, whitespace but "" found. message:cod=49 -----------------^.
How could i find the "cod=49" string in the "messge" field? (KIBANA v 7.6.1)
Thank you in advance for your help!
Is cod=49 the only thing in the message field or is it just a substring? If it's just a substring and the field is of type keyword, then you have to match via message:*cod=49*.
It's recommended though to ingest the field as text in this case, then message:cod=49 should work and it's much more performant.
Thank you very much for your help, but it still does not work.
Summary:
The message field contains a long string, including "delimiters" like | , key-value pairs like cod=491234567 etc.
In the index patterns, we see that the field is of type string not text. Or is that the same? (It is marked as searchable.)
I need to find records/entries whose message field contains cod=49 as a substring.
What query do I need to use for this?
These are the things I tried, with variable results, but never what I wanted:
Query: message:cod=49
Result: Finds entries with substring 49 OR cod, but not (only) cod=49
Query: message:"cod=49"
Result: No results match your search criteria
Query: message:"cod\=49"
Result: No results match your search criteria
Query: message:cod\=49
Result: Expected AND, OR, end of input, whitespace but "" found. message:cod=49 ---------------^
Query: message:"*cod=49*"
Result: No results match your search criteria
Query: message:*cod=49*
Result: No results match your search criteria
Query: message:"*cod\=49*"
Result: No results match your search criteria
Query: message:*cod\=49*
Result: Expected AND, OR, end of input, whitespace but "" found. message:cod=49 ----------------^
It worked differently in the previous version of KIBANA (Version: 6.2.4.)
There I query withmessage:*cod=49* and the result was all logs that contained xxxx, cod=49xxxx, as a substring in the message field.
any solutions?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.