Start with filter or query

How do I perform a search in Kibana so that douments starting with a string match? I've done a ton of Googling and come up with nothing. I am searching a typical Apache log line in the request field.

1 Like

What do you mean by "document starting with a string"?

I want the search to return only fields that start with a term. Somewhere I read that ^ would do the trick but it didn't work. This would be searching a typical apache access log index. I want to return log lines that either start with, or do not start with "/admin/index.php" regardless of the url parameters after the question mark index.php?thisfield=test1&thatfield=test2.

request:^/admin/index.php

Here is a full record.

{
"_index": "apache-access_2018.01.31",
"_type": "doc",
"_id": "4vVETmEB3Wi_gLjvSceJ",
"_version": 1,
"_score": null,
"_source": {
"geoip": {
"ip": "177.37.134.130",
"longitude": -39.3346,
"coordinates": [
-39.3346,
-5.1342
],
"region_name": "Ceara",
"city_name": "Quixeramobim",
"country_code2": "BR",
"latitude": -5.1342,
"location": {
"lon": -39.3346,
"lat": -5.1342
},
"timezone": "America/Fortaleza",
"region_code": "CE",
"country_code3": "BR",
"postal_code": "63800",
"country_name": "Brazil",
"continent_code": "SA"
},
"agent": ""-"",
"virtualhost": "exampledomain.com",
"source": "/var/log/httpd/access_log",
"request": "/index.php",
"message": "177.37.134.130 - - [31/Jan/2018:22:09:08 +0000] exampledomain.com "GET /index.php HTTP/1.1" 301 260 "-" "-" Server=aws7 "-" 191 0",
"apache-access": true,
"@timestamp": "2018-01-31T22:09:08.000Z",
"host": "aws7.hostdomain.net",
"bytes": 260,
"referrer": ""-"",
"clientip": "177.37.134.130",
"offset": 17617570,
"tags": [
"beats_input_codec_plain_applied"
],
"response": "301",
"server": "aws7",
"timestamp": "31/Jan/2018:22:09:08 +0000",
"httpversion": "1.1",
"user_agent": {
"device": "Other",
"build": "",
"name": "Other",
"os": "Other",
"os_name": "Other"
},
"logline": "177.37.134.130 - - [31/Jan/2018:22:09:08 +0000] exampledomain.com "GET /index.php HTTP/1.1" 301 260 "-" "-" Server=aws7 "-" 191 0",
"verb": "GET",
"@version": "1",
"request_duration_ms": 191,
"request_duration_s": 0,
"beat": {
"name": "aws7.hostdomain.net",
"version": "6.1.2",
"hostname": "aws7.hostdomain.net"
}
},
"fields": {
"@timestamp": [
"2018-01-31T22:09:08.000Z"
]
},
"highlight": {
"logline": [
"177.37.134.130 - - [31/Jan/2018:22:09:08 +0000] @kibana-highlighted-field@exampledomain.com@/kibana-highlighted-field@ "GET /index.php HTTP/1.1" 301 260 "-" "-" Server=aws7 "-" 191 0"
],
"message": [
"177.37.134.130 - - [31/Jan/2018:22:09:08 +0000] @kibana-highlighted-field@exampledomain.com@/kibana-highlighted-field@ "GET /index.php HTTP/1.1" 301 260 "-" "-" Server=aws7 "-" 191 0"
],
"virtualhost.keyword": [
"@kibana-highlighted-field@exampledomain.com@/kibana-highlighted-field@"
],
"virtualhost": [
"@kibana-highlighted-field@exampledomain.com@/kibana-highlighted-field@"
]
},
"sort": [
1517436548000
]
}

Bump

bump

bump

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.