Hi, I want to filter messages by exact phrase like [ERROR] in message field, how can I do it ?
I searched with this and many other syntaxes but it returned every error and warn messages.
kubernetes.namespace :"my-namespace" and message : "[ERROR]"
I want just messages with exactly [ERROR] and not Error or error.
Thanks in advance
Isn't it the problem around field mappings and not only the problem with kql?
match_phrase query see analyzed texts, in which "[ERROR]", "Error" and "error" may be normalized into a same token: "error". You have to set custom analyzer on that field to distinguish them. One option is a white space tokenizer without any token filters.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.