Query on KQL to get an exact match

ldomenella · March 4, 2020, 5:18pm

hi all,
im running elastic 7.6 and kibana 7.6. Im getting logs from my 2 servers tomcat and i use filebeat to send them directly to elasticseach..
doing it i added some custom fields: project
the project field is populated like that (for example):

myproject-platform-backend
myproject2-platform-backend
platform-backend

when i add this on the discovery -> query:
fields.project : "platform-backend"

i expect to see only my logs coming from this tomcat here.... but i see also the logs from the other 2...

the : is an exact match from the docs... what am i doing wrong ?

best
Luca

flash1293 · March 4, 2020, 8:53pm

Is the project field mapped as a text field? If you want to do exact matches, it's recommended to use a keyword indexed field, then the query should only return the third document.

ldomenella · March 5, 2020, 7:57am

hi,
this is mapping i've got:
"project": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
}

looks to be keyword...

flash1293 · March 5, 2020, 8:06am

This means “project” is a text field, but there is a keyword indexed version of the same field called “project.keyword”. Try filtering on the second one, that should work as you expect.

Topic		Replies	Views
String query - exact string Kibana	7	40623	May 15, 2019
Lucene query syntax of exact match query in Kibana Discover view Kibana	2	2403	March 13, 2020
Field value exact string Match Kibana	3	3724	September 18, 2018
Elastic Scoring for perfect match Elasticsearch	6	2525	May 18, 2020
How to query multiple fileds in Kibana Elasticsearch kql-kibana-query-language	23	2975	July 7, 2022

Query on KQL to get an exact match

Related topics