Unexpected Behavior of Kibana Query for Filtering Logs with Specific Keywords

Dokh_Ahmed · November 27, 2023, 1:34pm

I'm using a Kibana query (log_message:(Started* OR Disabled*)) to filter logs that start with the keywords "Started" or "Disabled". However, I've noticed that this query also returns log lines containing these keywords in the middle of the line, not just at the beginning. I expected only lines starting with these keywords to be returned.

Is there an error in my query or a specific way to filter only log lines that start with these keywords rather than lines containing these words elsewhere in the log?

Thank you for your help!

Priscilla_Parodi · November 30, 2023, 2:04pm

Hello @Dokh_Ahmed,

This is a text field, correct? Try using the keyword sub-field instead.

log_message.keyword: (Started* OR Disabled*)

Then you will have an exact match.

system · December 28, 2023, 2:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filter with regex to select lines that contain a certain word type Kibana	3	302	August 17, 2021
Query related logs that contain a keyword Kibana	7	2850	March 24, 2021
Filter logs with only DEBUG in them Kibana	3	1160	July 24, 2018
Filtering logs based on the content of other logs in Kibana Kibana	3	330	November 22, 2019
Filter messages that contains some specific text Kibana	5	32509	December 12, 2021

Unexpected Behavior of Kibana Query for Filtering Logs with Specific Keywords

Related topics