Query on KQL to get an exact match

ldomenella · March 4, 2020, 5:18pm

hi all,
im running elastic 7.6 and kibana 7.6. Im getting logs from my 2 servers tomcat and i use filebeat to send them directly to elasticseach..
doing it i added some custom fields: project
the project field is populated like that (for example):

myproject-platform-backend
myproject2-platform-backend
platform-backend

when i add this on the discovery -> query:
fields.project : "platform-backend"

i expect to see only my logs coming from this tomcat here.... but i see also the logs from the other 2...

the : is an exact match from the docs... what am i doing wrong ?

best
Luca

flash1293 · March 4, 2020, 8:53pm

Is the project field mapped as a text field? If you want to do exact matches, it's recommended to use a keyword indexed field, then the query should only return the third document.

ldomenella · March 5, 2020, 7:57am

hi,
this is mapping i've got:
"project": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
}

looks to be keyword...

flash1293 · March 5, 2020, 8:06am

This means “project” is a text field, but there is a keyword indexed version of the same field called “project.keyword”. Try filtering on the second one, that should work as you expect.

system · April 2, 2020, 8:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Exact match on log message field Kibana elastic-stack-alerting	6	2716	February 22, 2022
String query - exact string Kibana	7	35361	May 15, 2019
Changed many index field to Keywords now cannot query in KQL Kibana kql-kibana-query-language	3	419	June 1, 2020
Query does not return any information -- Problem with Kibana Query Language Kibana	3	761	July 29, 2020
Field value exact string Match Kibana	3	3682	September 18, 2018

Query on KQL to get an exact match

Related topics