Menu
I am newbie to ELK. I want to search for docs based on order of occurrence of words in a field. For example,
In doc1, my_field: "MY FOO WORD BAR EXAMPLE"
In doc2, my_field: "MY BAR WORD FOO EXAMPLE"
I would like to query in Kibana for docs where "FOO" is followed by "BAR" and not the opposite. So, I would like doc1 to return in this case and not doc2. I tried using below query in Kibana search. But, it is not working. This query doesn't even produce any search results.
my_field.raw:/.*FOO.*BAR.*/
I also tried with analyzed field(just my_field), though I came to know that should not work. And of course, that didn't produce any results either.
Please help me with this regex search. Why am I not getting any matching result for that query?
876
Regular expressionsThey can be used, for example, for partial and case-insensitive matching or searching for terms containing special characters. To embed regular expressions in a Kibana query, you need to wrap them in forward-slashes (“/”).
To search for an exact string, you need to wrap the string in double quotation marks. Without quotation marks, the search in the example would match any documents containing one of the following words: "Cannot" OR "change" OR "the" OR "info" OR "a" OR "user".
In the toolbar, click Alerts > Create search threshold rule. The Create rule form is pre-filled with the latest query sent to Elasticsearch. Configure your query and select a connector type. Click Save.
GET /_search
{
"query": {
"regexp": {
"user": {
"value": "k.*y",
"flags" : "ALL",
"max_determinized_states": 10000,
"rewrite": "constant_score"
}
}
}
}
More details on here
165
I'm not sure offhand why that regex query wouldn't be working but I believe Kibana is using Elasticsearch's query string query documented here so for instance you could do a phrase query (documented in the link) by putting your search in double quotes and it would look for the word "foo" followed by "bar". This would perform better too since you would do this on your analyzed field (my_field) where it has tokenized each word to perform fast lookups. So you search in Kibana would be:
my_field: "FOO BAR"
Update:
Looks like this is an annoying quirk of Kibana (probably for backwards compatability reasons). Anyway, this isn't matching for you because you're searching against a non-analyzed field and apparently Kibana by default is lowercasing the search therefore it won't match the the non-analyzed uppercase "FOO". You can configure this in Kibana advanced settings mentioned here, specifically by setting the configuration option "lowercase_expanded_terms" to false.
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
