Rationale for indexing url as keyword?


I'm curious about the rationale for indexing urls as keyword by default (in my case it's nginx.access.url, but I noticed it's the same for apache and others) .
The documentation states that Keyword fields are searchable by their exact value only. Now, I think it's pretty common to search logs for parts of urls: Show me timings for all images, show me timings for all images of a specific customer, etc.
This way the url field is barely usable by default.

What am I missing here?

(Adrian Serrano) #2

You can use a wide range of queries on a keyword, for example prefix, wildcard, regex and fuzzy. See Term level queries.

I guess it would be more correct to state that "keyword fields are indexed by their exact value", unlike text fields, which are passed through an analyzer to convert the string into a list of terms that are indexed individually.

1 Like

Thanks Adrian,

this makes much more sense to me now. The term "Keyword fields are only searchable by their exact value" was what confused me.

Btw: Does Kibana support term level queries natively (maybe with kuery) or do I have to resort to raw queries through "edit query dsl"?

(system) closed #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.