Using where filter with multi values field on data table

Elastic Stack Elasticsearch
#1

Hello,

I used to work on Splunk and working with multi values field, and it's easy break multivalue fields using "stats x by xx" command and perform a where filter after.

We considered this log with multi values field :
{ "multivaluefield" : ["toto","kiki","123"] }

Ex of the Splunk Query :

| index="test"
| stats c by multivaluefield
| where multivaluefield="toto"

The splunk result will only return "toto" value.

Instead of ELK, i perform split using data table then Buckets --> split rows by multivaluefield.
I tried to combine using query dsl to only filter on "toto" value :

{
"query": {
"bool": {
"must": [
{
"regexp": {
"multivaluefield": "toto"
}
}
]
}
}
}

But, elk returned all result of my multi value field :frowning:

elk
elk824×96 2.1 KB

How i can perfom the same behavior of Splunk on ELK ?

Regards,
Ishu

#2

:up: :frowning:

#3

:up: :frowning:

#4

:up: :::

#5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.