I know the correct way to look for user 12345678 in Discover is to say
userId:12345678
But if I type userId=12345678, I get every message that contains any userId. So what does = do? Does it do anything? Does Kibana just stop when it sees it and trim the query to "userId"?
= isn't an operator, so it's treated as part of the query itself, just like the letters before and numbers afterwards. I'm assuming at least one of your fields that is analyzed contain the actual text userId somewhere within it, which would probably match that query.
If I Filter on userId=12345678 my results come back -
userId=1236
userId=1234
userId=1238
where the bold is the highlighted text indicating that Kibana found what you were searching for.
But, if I filter with it in double quotes "userId=12345678" I get
userId=12345678
It never seems to recognize the = as part of the search query. It treats it almost like an OR statement without the quotes and an AND statement with the quotes.
Most likely because the field you're querying is analyzed. When you search special characters like that against an analyzed field, those special characters get stripped. You could try explicitly querying the keyword version of the field, in which case it should actually query the =.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.