Hello,
Elastic 7.6.1
Queries in the analytics explorer does not seem to behave similar to what I'm used to?
Tried escaping => process.parent.executable : "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
Nothing works as expected. Searching for one user.name works , but when I try to use OR it doesn't.
Also tried to find a way to exclude user.name 's ending with '$' (which are computer accounts), but that also does not seem to work?
Grtz
Willem
Hi Willem,
Thanks for reaching out! The search bar in the analytics exploration views expects a particular syntax.
For example, the OR case needs to be wrapped in parenthesis like (user.name: user1 OR user.name: user2)
Backslashes need to be escaped so the query might look like process.parent.executable : "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"
Here's a link with more context on the expected syntax
https://elastic.github.io/eui/#/forms/search-bar.
Hope that helps! Please let me know if I can help with anything else.
Melissa
Hey Melissa,
Thanks for your answer and the link to the docs, but sorry, already tried wrapping it in paranthesis, but it also does not work.
(user.name: user1 OR user.name: user2)
results in:
Expected [oO] but "d" found.
Also already tried escaping.. Searching for:
process.parent.executable : "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"
Results in:
Expected "(", "-", "is:", end of input, field, term, or whitespace but "\"" found.
Grtz
Willem
Hey Willem,
Ah, sorry about that! In the OR query there needs to be no space between the field/value and the colon. So it would be (user.name:user1 OR user.name:user2) - apologies, I missed that the first time.
I'll double check on the escaping of backslashes and get back to you here. Thanks for your patience!
Melissa
Hey Willem,
Just following up on the escaping of backslashes - apart from the extra space between the colon and the characters, the escaping looks right. Could you give it a try without the extra space?
Melissa
Melissa,
Aha, omitting the spaces from the query does indeed work. Quite confusing that searching whatever does not work consistently between Kibana componenets imho.
I'll await your followup on the backslashes.
Tx!
Grtz
Willem
Hi Willem,
Apologies for missing your last message. The backslashes in the example you showed looked right - it was the spaces that was the issue.
Regarding consistency in search syntax between components - you're right and we are making an effort to move toward that. It always helps to have specific examples like this so your message is much appreciated! 
Melissa
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
