Hi all,
I'm struggling with KQL recently. I have tried so many different styles of queries but I cannot, for some reason, get this query to match logs that do exist.
I am trying to match all logs that contain the word 'apache'. However, when trying all my queries no results are returned.
Does anyone know of a query that would match the word apache when it is in this style:
One of the queries I have tried is: 
hmm, thats pretty strange : Few questions:
Options button in the query bar and tell me if you have KQL enabled? Depending on the version you're using it might just be called "Enhanced query features" or something like that.keyword version of this field? If so you may try querying on that. My best guess is that there's something odd happening with the parsing or analysis of the query, and using the keyword version may avoid that complication. For example: application.api.responseText.keyword: *eligible\”\:true*
any helpful logs?
Thanks
Rashmi
I have been using Kibana 7.7 (issue existed here) and recently migrated to 7.8.
KQL is enabled and using the keyword version of the field makes no change to the result of the search. (message.keyword: apache or message.keyword: *apache)
No logs available. Running this query in Lucene: message : /.*apache.*/ does return results of the word apache.
I believe the issue is that when using KQL and running the search, message: apache, it is looking for the word apache, separated by spaces. It does not exist in this format. My reasoning for this is because it does find the existence of the entire phrase 'org.apache.solr.core.SolrCore.Request' when searched for.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.