I am using ELK stack to index my apache access logs and everything is just fine but I have small problem here it is
I need to find all documents which their request field starts with '/page1' so I can graph the response time of page1 only and not all pages I tried the following:
request:page1 this gives me requests which have page1 in their request url not just at the start
request:/^/page1/ this gives me zero results
Can you help me with this?
I need to find all documents which start with '/page1/` only and not requests which contain /page1 in their url.
the issue in this case is most likely the analyzing of the data. If you are using the Elastic Stack 5.0+ above, and haven't tweaked the mapping, there should also be a request.keyword field, which has the non unanalzed string (and thus the path in place, and not splitted up at each slash).
The following query should work: request.keyword:\/page1* (The slash in the beginning must be escaped, so Elasticsearch doesn't think you are trying to start a regex. Also this wildcard search should be way faster than using regular expressions.
Also if you would want a regular expression the following should work the same: request.keyword:/\/page1.*/ - escaping of the slash is also needed here, and ES always tries to match the whole string, so you don't need the ^, but therefore the .* in the end.
I've tried to explaint he effects of analyzing to querying in a blog post on my page.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
