KQL unexpected behaviour when '/' on text field

masual · July 16, 2019, 11:12am

When using KQL expressions such as *keyword*, no results are displayed if the text field contains an slash ('/') and the "keyword" is located afterwards the slash. For example with the following text field value:

Process '848' hidden from /proc. Possible kernel level rootkit.

With the query *hidden* it works, but with *rootkit* no results are displayed .

Is that the intended behaviour?

ELK 7.2.0

Marius_Dragomir · July 18, 2019, 1:07pm

This shouldn't happen. Could you open an issue in the Kibana repo, please?

masual · July 18, 2019, 1:22pm

Done!
https://github.com/elastic/kibana/issues/41436

Thank You!

system · August 15, 2019, 1:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.