Hi,
I am having the same issue exposed in the topic below, but it never got a final answer nor solution (if any). In my case I have more than 400 entries and do it one by one it will take hours.
The answer for this topic does not help much either when you have 400 entries to add:
The is one of field doesn't support copy pasting values. But I have some suggestions.
<field name>:(value1 OR value2 OR value3 ...), e.g. City:(Tokyo OR Barcelona)
<field name>:(value1 or value2), e.g. City:(Tokyo or Barcelona)
Add filter, then Edit as Query DSL and use:{
"query": {
"terms": {
"field name": [ "value1", "value2", "value3" ... ]
}
}
}
You could open a Github issue with your suggestion to enhance the usability, to ask the support of copy/paste of comma or space separated values in the is one of filter.
Thank you @Luca_Belluccini. I have been trying the solution #1 since last night. Kibana take a few seconds to process the query, but at least I can filter the data as needed. I am going to try also the solution #2 and will escalate the enhance proposal. Having this feature included in Kibana will make happy many users in need like me.
Have a good one.
@Luca_Belluccini. Just for the records. I tried solution #2 and did not work. The query editor did not show any error, but after saving the filter, Kibana shows an error (image below) and the visualization does not work at all. I am including the query and just sharing the feedback in case you want to take a look and maybe find what is failing. In the meantime I'll keep using solution #1.
PS: Using ELK 6.8.8
Thank you
{
"query": {
"bool": {
"should": [
{
"match_phrase": {
"alert.signature_id": ["2014797", "2015957"]
}
}
],
"minimum_should_match": 1
}
}
}
You have to use the query I've provided (you're using match_phrase, while I used terms):
{
"query": {
"terms": {
"alert.signature_id": ["2014797", "2015957" ]
}
}
}
Also, the terms aggregation requires a keyword field (if you have a field alert.signature_id.keyword, use it)
You were right. I tried exactly as you said. Here are the results:
"alert.signature_id": ["2014797", "2015957" ]
"alert.signature.keyword": ["2014797", "2015957"]
Again, I appreciate your time, effort and interest in helping me to resolve the issue
Thanks
If it works using alert.signature_id, it means it is a keyword field. 
No problem! Glad it solved the problem.
If you're opening the enhancement request on the Kibana repo, please refer to this discuss post.
Will do. Thank you!
Enhancement request submitted.
@Luca_Belluccini you have been very helpful. I really appreciate your time, effort, fast response and interest in helping me address this issue.
Would it be possible to reach out to you directly if I need future assistance? It would be great if could count with your valuable help.
Have a good one!
Hello @ManuelF,
I am from the Elastic Support Team and Elastic has support and consulting services.
You might check out Elastic Subscriptions.
I'm trying to help the community here on Discuss or meetups from time to time.
I understand. I'll take a look at those subscriptions. Maybe I'll see you again around Discuss some time.
Have a great day!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.