"NOT Empty" KQL query returns records with empty fields

wpm · November 30, 2022, 8:40pm

My records have a text field called "My Field". For some records these are the empty string and for others they have a value. I want to find all the ones for which "My Field" is not the empty string. In the KQL query bar of Discover I create a query that says "NOT My Field: (empty)". This returns all the records in the index. I get the same result if I temporarily disable this query clause. If instead I create a query of the form "My Field: some value" I do get records returned.

(The data is proprietary, so I can't post an example.)

I must not be understanding something about KQL. What am I doing wrong?

jughosta · December 7, 2022, 10:02am

Hi @wpm,

Try querying a field with "keyword" field type instead if it's present in your index mapping.
For example: not my_field.keyword: "".

system · February 1, 2023, 8:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Match an empty field in kibana Kibana	4	30831	May 22, 2019
Kibana 6.6.1 - show only Docs where Field has a value Kibana	2	934	April 8, 2019
Field.keyword is empty, yet something is shown under field Kibana	6	3215	April 29, 2019
Changed many index field to Keywords now cannot query in KQL Kibana kql-kibana-query-language	3	419	June 1, 2020
KQL query for fields with a value which is not `-` Kibana	8	17543	December 6, 2022

"NOT Empty" KQL query returns records with empty fields

Related topics