String query - exact string

Hello everyone:

I m doing the following filtering:

beat.hostname:APS01 AND program_name:"deadline"

And I get the results:

ss1279×262 29.8 KB

Unfortunately, I don't want to include "deadline_balancer" here. When I filter:

"beat.hostname:APS01 AND program_name:"deadline_balancer" it's all good:

ss21348×195 24.2 KB

Can you please let me know how to accomplish this? The only Info I found in the documentation is:

"To search for an exact string, you need to wrap the string in double quotation marks. Without quotation marks, the search in the example would match any documents containing one of the following words: "Cannot" OR "change" OR "the" OR "info" OR "a" OR "user"."

Thanks in advance!

Hello Astarandel, it's more of an ES question than a Kibana one - is it an analyzed field, and is it using the standard analyzer? If so, is it also a multi-field, eg. also using keyword? Please refer to the links below as to why these matter:

Thanks a lot Robert!

I m pretty new to the whole ELK stack. I m going to explore your suggestion!

Much appreciated!

Hello @monfera,

as far as I understood I need to re-map that certain field to be "not_analyzed". I have a question regarding this. Should I do this in the Elasticsearch or since I use logstash to parse the data, is it needed to create some sort of logstash template?

Thanks a lot for the help!

best,

Lyubo

Hello Lyubo, it's an ES concept, please refer to this thread though it points to a former ES version

Thanks for the help. The thread you mentioned is very nice.

Also, I've found out that when I do filtering of the sort:

field_name.keyword:"string_name" does exactly what I want

Yes, the .keyword part is a good route if you still want to preserve the option to run queries on the field as an analyzed field.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.