KQL search problem

papmik · April 23, 2020, 11:21am

I want to filter it in the logs : message:cod=49 and the result: "No results match your search criteria". I try it like this message:cod?49 the result is same. I try it like this: message:cod=49 the result is Expected AND, OR, end of input, whitespace but "" found. message:cod=49 -----------------^.
How could i find the "cod=49" string in the "messge" field? (KIBANA v 7.6.1)
Thank you in advance for your help!

flash1293 · April 23, 2020, 12:05pm

Is cod=49 the only thing in the message field or is it just a substring? If it's just a substring and the field is of type keyword, then you have to match via message:*cod=49*.

It's recommended though to ingest the field as text in this case, then message:cod=49 should work and it's much more performant.

papmik · April 23, 2020, 4:01pm

Thank you very much for your help, but it still does not work.

Summary:

The message field contains a long string, including "delimiters" like | , key-value pairs like cod=491234567 etc.

In the index patterns, we see that the field is of type string not text. Or is that the same? (It is marked as searchable.)

I need to find records/entries whose message field contains cod=49 as a substring.
What query do I need to use for this?

These are the things I tried, with variable results, but never what I wanted:
Query: message:cod=49
Result: Finds entries with substring 49 OR cod, but not (only) cod=49

Query: message:"cod=49"
Result: No results match your search criteria

Query: message:"cod\=49"
Result: No results match your search criteria

Query: message:cod\=49
Result: Expected AND, OR, end of input, whitespace but "" found. message:cod=49 ---------------^

Query: message:"*cod=49*"
Result: No results match your search criteria

Query: message:*cod=49*
Result: No results match your search criteria

Query: message:"*cod\=49*"
Result: No results match your search criteria

Query: message:*cod\=49*
Result: Expected AND, OR, end of input, whitespace but "" found. message:cod=49 ----------------^

It worked differently in the previous version of KIBANA (Version: 6.2.4.)
There I query withmessage:*cod=49* and the result was all logs that contained xxxx, cod=49xxxx, as a substring in the message field.

papmik · May 4, 2020, 4:55am

any solutions?

system · June 1, 2020, 4:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Not able to search a string with colon in kibana search bar Kibana	2	828	May 10, 2017
Kibana and alphanum field search Kibana	3	731	July 6, 2017
Kibana search d Kibana	5	404	September 7, 2022
Substring search in Kibana 4 search bar Kibana	12	74550	July 6, 2017
Query does not return any information -- Problem with Kibana Query Language Kibana	3	842	July 29, 2020

KQL search problem

Related topics