I'm trying to use a wildcard for the message field but it doesn't seem to work. I'm trying to look for anything that starts with async and filter them out.
In the message field, it can look like this: async.channel.poolSize=0...so in kql, if I do something like not message: "async*"....I still seem to get docs back that begin with async in the message field.
KQL with wildcards is not a straight forward / obvious as you might expect.
When you put in "async*" in quotes it takes the * as a literal so it does not match. Also - signs can cause some issues. Also be carefull as these queries can be a bit expensive.
try
not message : async*
Here are the docs
and
Here is a nice little article on KQL with some more examples
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.