Search syntax

In Discover I am searching like this: event:"auth". I thought that would ONLY match the string auth in the event field, since I have quoted the string. But it also results in hits where auth is included in other fields. Is it supposed to be like that? If yes, how can I search for a string in a specific field only?

The quotes there won't matter too much, as per the docs.

Are you sure there isn't a * at the start?

I am positive. Please have a look at my attached screenshots

In the json request, I can see it says : fields:"*"

    {
  "size": 500,
  "sort": [
    {
      "@timestamp": {
        "order": "desc",
        "unmapped_type": "boolean"
      }
    }
  ],
  "query": {
    "filtered": {
      "query": {
        "query_string": {
          "query": "event: \"auth\"",
          "analyze_wildcard": true
        }
      },
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "@timestamp": {
                  "gte": 1444072616816,
                  "lte": 1444115816816
                }
              }
            }
          ],
          "must_not": []
        }
      }
    }
  },
  "highlight": {
    "pre_tags": [
      "@kibana-highlighted-field@"
    ],
    "post_tags": [
      "@/kibana-highlighted-field@"
    ],
    "fields": {
      "*": {}
    },
    "fragment_size": 2147483647
  },
  "aggs": {
    "2": {
      "date_histogram": {
        "field": "@timestamp",
        "interval": "10m",
        "pre_zone": "+02:00",
        "pre_zone_adjust_large_interval": true,
        "min_doc_count": 0,
        "extended_bounds": {
          "min": 1444072616816,
          "max": 1444115816816
        }
      }
    }
  },
  "fields": [
    "*",
    "_source"
  ],
  "script_fields": {},
  "fielddata_fields": [
    "_timestamp",
    "@timestamp"
  ]
}

I did some tests on my side - and it looks like , although it Does only apply the filter to the spcified field (event) , if will still highlight the search parameter in all fields.

So event though you see "auth" highlighted in "status_descr", you should not see any records that does NOT have "auth" in "event".

The

"fields": [
"*",
"_source"
],
Just indicates which fields are going to be returned and has no implication on what the filter is applied to.

Thanks Pieter.
I would like to confirm this behaviour though...

Pieter is correct, this is known (and at this point, by design) behavior.

Please feel free to add to the discussion - some users did ask us to change it: