I'm testing ELK stack for nginx-access logs. It looks good except I have not found a way to search records in Kibana Discovery (v5.3.2) with a path that start with "/test/a". Search works if I remove slashes, but in this case, I get what I don't need - "/ololo/ololo?test=1"
I tried different requests:
path:/\/test\/a/
path:/\\/test\\/a/
path:"/test/a"
path:"\/test\/a"
path:"\\/test\\/a"
but nothing works as I expect.
Records:
[
{
    ...
    "path": "/test/a1"
    ...
},
{
    ...
    "path": "/test/a2"
    ...
},
{
    ...
    "path": "/ololo/ololo?test=1"
    ...
},        
]
Mapping:
"path": {
  "type": "string", 
  "index": "analyzed", 
},
Is there any way to search using slashes as part of pattern?
Update:
These patterns do not work too:
path:/.*\/test\/a.*/
path:/[\/]test[\/]a/
Kibana Regex Searches Regular expression queries, also known as regex queries, return search results that contain terms matching a regular expression. We use regex queries when matching data patterns that use placeholder characters, known as operators.
A phrase is a group of words surrounded by double quotation marks, such as "test search" . To search for an exact string, you need to wrap the string in double quotation marks.
Text Search The query in Kibana is not case-sensitive. Use the asterisk sign ( * ) for a fuzzy string search. Hit the space bar to separate words and query multiple individual terms. For example, get elasticsearch locates elasticsearch and get as separate words.
When you search for your query in the Kibana dashboard you will see the request appear in the developer console. There you can "right click" and select Copy as cURL , which will copy the curl command to your clipboard.
You need to change the mapping of the path field to not be analyzed, otherwise the slashes will not be indexed.
The mapping should be like this:
"path": {
  "type": "string", 
  "index": "not_analyzed",    <--- change this
},
Note that you need to delete your index and re-create it with the proper mapping in order for this to work.
After that you'll be able to search using the following query path:"/test/a"
Use this query as example:
{
  "query": {
    "query_string": {
      "fields": [
        "path.keyword"
      ],
      "query": "\\/test\\/a\\/*",
      "analyzer": "keyword",
      "analyze_wildcard": true
    }
  }
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With