Not able to escape special characters

liammcc · February 20, 2018, 11:13am

So we have elasticsearch set up on AWS with KIbana and we are trying to do post requests to the elasticsearch endpoint to retrieve certain errors in logs. However some of the messages in our logs have the word error in but aren't an error. What we want to get is just the main error code which is displayed like [ERROR]. I have tried to escape the special character [ with a post request like this (using JSON):

{
"query": {
"query_string" : {

	"query": "@log_stream:testservice AND @message:\"[ERROR]\" AND @timestamp: [now-7d TO now]"      }

}
}

And a lot of variations of this but nothing is working.

If anyone could tell me if this is possible and also if we could maybe search for uppercase characters that would be great.

dadoonet · February 20, 2018, 11:29am

I'd say that it's a bad practice to just keep the message field as is without any parsing prior to indexing (using Grok for example).

Anyway, I guess this is not working because of the way your text as been analyzed.

Could you provide a full recreation script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.

system · March 20, 2018, 11:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.