Not able to escape special characters


(liam) #1

So we have elasticsearch set up on AWS with KIbana and we are trying to do post requests to the elasticsearch endpoint to retrieve certain errors in logs. However some of the messages in our logs have the word error in but aren't an error. What we want to get is just the main error code which is displayed like [ERROR]. I have tried to escape the special character [ with a post request like this (using JSON):

{
"query": {
"query_string" : {

	"query": "@log_stream:testservice AND @message:\"[ERROR]\" AND @timestamp: [now-7d TO now]"      }

}
}

And a lot of variations of this but nothing is working.

If anyone could tell me if this is possible and also if we could maybe search for uppercase characters that would be great.


(David Pilato) #2

I'd say that it's a bad practice to just keep the message field as is without any parsing prior to indexing (using Grok for example).

Anyway, I guess this is not working because of the way your text as been analyzed.

Could you provide a full recreation script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.