KQL search problem

papmik · April 23, 2020, 11:21am

I want to filter it in the logs : message:cod=49 and the result: "No results match your search criteria". I try it like this message:cod?49 the result is same. I try it like this: message:cod=49 the result is Expected AND, OR, end of input, whitespace but "" found. message:cod=49 -----------------^.
How could i find the "cod=49" string in the "messge" field? (KIBANA v 7.6.1)
Thank you in advance for your help!

flash1293 · April 23, 2020, 12:05pm

Is cod=49 the only thing in the message field or is it just a substring? If it's just a substring and the field is of type keyword, then you have to match via message:*cod=49*.

It's recommended though to ingest the field as text in this case, then message:cod=49 should work and it's much more performant.

papmik · April 23, 2020, 4:01pm

Thank you very much for your help, but it still does not work.

Summary:

The message field contains a long string, including "delimiters" like | , key-value pairs like cod=491234567 etc.

In the index patterns, we see that the field is of type string not text. Or is that the same? (It is marked as searchable.)

I need to find records/entries whose message field contains cod=49 as a substring.
What query do I need to use for this?

These are the things I tried, with variable results, but never what I wanted:
Query: message:cod=49
Result: Finds entries with substring 49 OR cod, but not (only) cod=49

Query: message:"cod=49"
Result: No results match your search criteria

Query: message:"cod\=49"
Result: No results match your search criteria

Query: message:cod\=49
Result: Expected AND, OR, end of input, whitespace but "" found. message:cod=49 ---------------^

Query: message:"*cod=49*"
Result: No results match your search criteria

Query: message:*cod=49*
Result: No results match your search criteria

Query: message:"*cod\=49*"
Result: No results match your search criteria

Query: message:*cod\=49*
Result: Expected AND, OR, end of input, whitespace but "" found. message:cod=49 ----------------^

It worked differently in the previous version of KIBANA (Version: 6.2.4.)
There I query withmessage:*cod=49* and the result was all logs that contained xxxx, cod=49xxxx, as a substring in the message field.

papmik · May 4, 2020, 4:55am

any solutions?

system · June 1, 2020, 4:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue with KQL string query that has colon Kibana kql-kibana-query-language	5	10196	November 15, 2019
Extract part of a log using regex in KQL Kibana kql-kibana-query-language	1	681	March 3, 2023
Kibana search d Kibana	5	313	September 7, 2022
Help with query Kibana	5	80	May 21, 2024
Kibana search fails to find string Kibana	3	195	November 29, 2023

KQL search problem

Related Topics