In Discover I am searching like this: event:"auth". I thought that would ONLY match the string auth in the event field, since I have quoted the string. But it also results in hits where auth is included in other fields. Is it supposed to be like that? If yes, how can I search for a string in a specific field only?
The quotes there won't matter too much, as per the docs.
Are you sure there isn't a * at the start?
In the json request, I can see it says : fields:"*"
{
"size": 500,
"sort": [
{
"@timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"query": {
"filtered": {
"query": {
"query_string": {
"query": "event: \"auth\"",
"analyze_wildcard": true
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": 1444072616816,
"lte": 1444115816816
}
}
}
],
"must_not": []
}
}
}
},
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"*": {}
},
"fragment_size": 2147483647
},
"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"interval": "10m",
"pre_zone": "+02:00",
"pre_zone_adjust_large_interval": true,
"min_doc_count": 0,
"extended_bounds": {
"min": 1444072616816,
"max": 1444115816816
}
}
}
},
"fields": [
"*",
"_source"
],
"script_fields": {},
"fielddata_fields": [
"_timestamp",
"@timestamp"
]
}I did some tests on my side - and it looks like , although it Does only apply the filter to the spcified field (event) , if will still highlight the search parameter in all fields.
So event though you see "auth" highlighted in "status_descr", you should not see any records that does NOT have "auth" in "event".
The
"fields": [
"*",
"_source"
],
Just indicates which fields are going to be returned and has no implication on what the filter is applied to.
Thanks Pieter.
I would like to confirm this behaviour though...
Pieter is correct, this is known (and at this point, by design) behavior.
Please feel free to add to the discussion - some users did ask us to change it: