Simple Kibana "term query" not searching the all the fields

Elastic Stack Kibana
1

Hello, I'm puzzled by the following explanation here: Kibana Query Language | Kibana Guide [8.11] | Elastic

Terms without fields are matched against the default field in your index settings. If a default field is not set, terms are matched against all fields. For example, a query for response:200 searches for the value 200 in the response field, but a query for just 200 searches for 200 across all fields in your index.

I have 2 fields, one is event.message and the other is log.message, they are both very similar (log.message is created by a GREEDYDATA grok filter from event.message).

Since these 2 fields are very similar, I'm dropping event.message. The problem now is that Kibana doesn't search log.message using term queries (just using "query here" in the Kibana search bar without explicit field).

Why does Kibana not searching this field when they are both text/string fields? Any idea? Thanks!

2

mind sharing your query?
also, what do you mean by not searching? what is the result? what is the expected result?

3

Here's a log in Discover:

image
image729×67 6.3 KB

Here I type "initial" (because in the log, you see the word "initial":

image
image767×325 26.3 KB

But no result...

As I said, it searches properly the field event.message - which I am dropping now.

But as you see, Kibana doesn't search the current log.message (both are very similar fields, I drop one of them to save space).

I though that a "term query" (just putting a word into the search bar) will search all field (i.e "*"), but it doesn't catch log.message.

If I search using the field name in the query bar like this log.message : *initial*, it finds it:

image
image1005×425 40 KB

If I do a "term query" with the word "informational", it finds it in the field syslog.severity:

image

So why does Kibana not really searching all fields "*" when doing a "term query"? Why does not it search log.message?

4

Could be a few reasons.

  1. your second example is a single word, while your first search is inside a long string.
    Try to have the same conditions, as much as possible
  2. check differences in the filed definition.
  3. bug
5

It was working fine with event.message, I am now dropping that field because log.message is a duplicate of it. Kibana was searching the first field just with one word, while the other it refuses to search. Maybe it's a bug, but I think there is something more to this.

Check this out: Query string query | Elasticsearch Guide [8.11] | Elastic

default_field

(Optional, string) Default field you wish to search if no field is provided in the query string.

Defaults to the index.query.default_field index setting, which has a default value of * . The * value extracts all fields that are eligible for term queries and filters the metadata fields. All extracted fields are then combined to build a query if no prefix is specified.

Searching across all eligible fields does not include nested documents. Use a nested query to search those documents.

For mappings with a large number of fields, searching across all eligible fields could be expensive.

There is a limit on the number of fields that can be queried at once. It is defined by the indices.query.bool.max_clause_count search setting, which defaults to 1024.

What do they mean by "eligible fields"? Could log.message not be eligible for some reason? What are the requirements for a field to be "eligible"?

1 Like
6

I believe the meaning is eligible to term queries
So a string made out of more than 1 word, cannot be used with term queries. Unless you match the whole string, and not just part of it, like in your case.

Terms query - Terms query | Elasticsearch Guide [8.11] | Elastic

Returns documents that contain one or more exact terms in a provided field.
The terms query is the same as the term query, except you can search for multiple values

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.