Timelion query with hypen in string

Hello?

Can I use query with hypen in string on timelion expression ?

Here is query sample.
.es(
index=test*,
timefield=@timestamp,
q='elasticsearch.index.name:test-01_a-*',
metric='avg:elasticsearch.index.total.docs.count')

I want to use query with likes q='elasticsearch.index.name:test-01_a-*'
But the result is wrong. Even if I try to add escape character to dash character it's not working.

Thanks!

That really should work, the hyphen isn't a reserved character in the queries. If you put the same query in Discover search bar, do you get the same results or different?

Hi @8wlgns,

Usually, just wrapping the value of your search in "quotes" (as in q='elasticsearch.index.name:"test-01_a-*"', just works.

But I think I need to make it clear: the q= parameter uses the Lucene query syntax. The way to query for the values is very tight to the type of the field you are filtering by.

In this case, I'm going to assume elasticsearch.index.name is type: "text". The default behaviour of this type is to break the query into symbol-separated words and perform the query as if performed with the OR clause (if my assumptions are correct elasticsearch.index.name:"test-01_a-*" will search for elasticsearch.index.name contains test or contains 01_a).

I would suggest you use the query q=elasticsearch.index.name.keyword:/test-01_a-.*/ instead. The .keyword will use the entire value for the search. And the regexp expression will allow you to search for partial values (mind regexp and wildcard requests are expensive).

For more info about Lucene Query String, please, visit https://www.elastic.co/guide/en/elasticsearch/reference/7.9/query-dsl-query-string-query.html#query-dsl-query-string-query

NB: The behaviour might be different if your cluster/index has any non-default configurations.

Thanks for your very detailed reply! I'll try it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.