Hi, I'm facing an odd situation.
I have a text field (string_value) in a index (let's call it search_index) which can get the value "OR" (in caps, without quotes).
I created a Elasticsearch filter section in Logstash to query this index:
elasticsearch {
hosts => ["elasticsearch:9200"]
index => ["logstash-search_index-*"]
query => "string_value.keyword:%{[string]}"
result_size => 1
fields => {"other_field" => "other_field"}
}
What this is basically doing, assuming that string = OR, is to query Elasticsearch in this way:
GET logstash-search_index-*/_search?q=string_value.keyword:OR
However, in this particular case I get an error from Elasticseach:
...
"type": "parse_exception",
"reason": "Cannot parse 'string_value.keyword:OR': Encountered \" <OR> \"OR \"\" at line 1, column 24.\nWas expecting one of:\n <BAREOPER> ...\n \"(\" ...\n \"*\" ...\n <QUOTED> ...\n <TERM> ...\n <PREFIXTERM> ...\n <WILDTERM> ...\n <REGEXPTERM> ...\n \"[\" ...\n \"{\" ...\n <NUMBER> ...\n ",
...
Other string combinations are working correctly.
How to avoid this?
Edit: apparently the way to address the issue is to generate the following query:
GET logstash-search_index-*/_search?q=string_value.keyword:"OR"
But the question is: how to address this on Logstash configuration? Custom query template?