Unable to Search Indexed Fields

James_Tighe · May 20, 2016, 8:07am

Hi All,

I am relatively new to the Elastic Stack and am having good results so far. One thing I cannot get to work though is full text search on some of the fields.

I am using Filebeat to ship an unformatted log across to Logstash. Using GROK I am then adding fields based on patterns. These fields show fine in Kibana and I can visualise the data from them without issue.

The problem is that I cannot search these fields.

On of the fields is Priority and contains the value INF. If I try to search in the search bar using [Priority]:"INF" this returns no results. Even using lowercase returns nothing.

I can however search using

{"wildcard":{"Priority":"INF"}}

Is there something I have to set in the mapping to allow this field to be searched correctly?

My files are the type "log" and the index is showing the following mapping

    "properties": {
      "@timestamp": {
        "type": "date",
        "format": "strict_date_optional_time||epoch_millis"
      },
      "@version": {
        "type": "string",
        "index": "not_analyzed",
        "ignore_above": 1024
      },
      "ID": {
        "type": "string",
        "index": "not_analyzed",
        "ignore_above": 1024
      },
      "Message": {
        "type": "string",
        "index": "not_analyzed",
        "ignore_above": 1024
      },
      "Priority": {
        "type": "string",
        "index": "not_analyzed"
      },
      "Process": {
        "type": "string",
        "index": "not_analyzed",
        "ignore_above": 1024
      },
      "beat": {
        "properties": {
          "hostname": {
            "type": "string",
            "index": "not_analyzed",
            "ignore_above": 1024
          },
          "name": {
            "type": "string",
            "index": "not_analyzed",
            "ignore_above": 1024
          }
        }
      },
      "geoip": {
        "dynamic": "true",
        "properties": {
          "location": {
            "type": "geo_point"
          }
        }
      },
      "host": {
        "type": "string",
        "index": "not_analyzed",
        "ignore_above": 1024
      },
      "input_type": {
        "type": "string",
        "index": "not_analyzed",
        "ignore_above": 1024
      },
      "message": {
        "type": "string"
      },
      "offset": {
        "type": "long"
      },
      "source": {
        "type": "string",
        "index": "not_analyzed",
        "ignore_above": 1024
      },
      "tags": {
        "type": "string",
        "index": "not_analyzed",
        "ignore_above": 1024
      },
      "time": {
        "type": "string",
        "index": "not_analyzed",
        "ignore_above": 1024
      },
      "type": {
        "type": "string",
        "index": "not_analyzed",
        "ignore_above": 1024
      }
    }

Is this to do with the index template being incorrect?

Any help would be appreciated.

Thanks

James

James_Tighe · May 23, 2016, 1:00pm

I believe I located the problem to my own issue.

When I imported the Priority field from my data I had to perform a GSUB on the value as it had an extraneous square bracket. The GSUB replaced this with a space.

Therefore the filter failed as the field is not analysed so I had to search WITH the space in the string. If I do this it works and Kibana returns results.

Thanks

James

Topic		Replies	Views
Set up index for fields created with logstash Logstash	2	829	September 14, 2018
Not able to search on indexed fields in Kibana Kibana	7	1681	July 6, 2017
We are getting "unindexed fields or ignored values cannot be searched" Kibana	2	1127	January 27, 2023
Not able to search on indexed fields Kibana	1	498	July 6, 2017
Kibana full text search problem Kibana	5	1715	September 15, 2017

Unable to Search Indexed Fields

Related topics