Search colon separated values in text field in Kibana fails

UnoSD · April 10, 2017, 10:15am

Kibana version: 5.3.0

Elasticsearch version: 5.3.0

Browser version: Chrome 56

I have some data with the following structure:

{
  "_index": "...",
  "_type": "...",
  "_id": "...",
  "_score": null,
  "_source": {
    "ActivityID": "7aa89a606fb940598c1906fcc315788f",
    "input_type": "log",
    "Date": "2017-04-05 15:00:05.0212",
    "Details": " Data:  EventsCount: 1 accountId: 12345 otherId: 12345 sql: SELECT Bla FROM Bla EventId: 5",
    "ThreadID": "21",
    "@version": "1"
  }
}

And I can successfully use the regexp filter to filter the values AFTER the colon in the Details column:

{
  "query": {
    "regexp": {
      "Details": {
        "value": "[0-9]{5}"
      }
    }
  }
}

This highlight all the accountId/otherId values containing 5 digits.

But if I try to filter on the name (I.E. EventsCount/accountId/otherId or "accountId: 12345") I do not get any result.

Details is just a string field so its content should be considered all together a big string, but for some reason is not searching the names before the colon (and or the whitespaces and the colon themselves which I believe it is default behaviour).

Mapping:

  "Details": {
    "type": "text",
    "norms": false
  },

Marius_Dragomir · April 10, 2017, 5:01pm

I think this is because the field is indexed (this is due to the fact that it's mapped as a text field). But you can highlight fields containing a string by using a wildcard filter like this:

{
  "query": {
    "wildcard": {
      "system.network.name": "*accountId*"
    }
  }
}

UnoSD · April 11, 2017, 9:30am

Thank you for the reply; I will try this now and see if it works, but is there a way to use regex for that?

EDIT: Just tried, wildcard doesn't work either.

system · May 9, 2017, 9:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.