No results on keyword search

Elastic Stack Kibana
1

Hello,

I have a specific field which has been indexed as a keyword type in ES.

The field contains some values that begin with %%.

Using the analyze api, it shows that the field is keyword analyzed, however when I search, it returns empty results.

My opinion is that its related to the values starting with %% but I dont seem to find any documentation that points to this behaviour.

Please see below some results.

Field mapping:
"event_data": { "properties": { "access_list": { "type": "keyword" }

Analyzing the field shows its keyword indexed.

GET windows-security-index/_analyze
{
  "field" : "event_data.access_list",
  "text" : "%%1537"
}


{
  "tokens": [
    {
      "token": "%%1537",
      "start_offset": 0,
      "end_offset": 6,
      "type": "word",
      "position": 0
    }
  ]
}

No results on the search:

GET /windows-security-index/_search
{
    "query" : {
        "term" : { "event_data.access_list" : "%%1537" }
    }
}


{
  "took": 30,
  "timed_out": false,
  "_shards": {
    "total": 8,
    "successful": 8,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 0,
    "max_score": null,
    "hits": []
  }
}

Any help or suggestions would be appreciated.

2

Issue has been resolved.

There was a space in the field which I had to remove with mutate strip

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.