Kibana query exact match
Solution 1
I had a similar issue, and ifound that ".raw" fixed it - in your example, try
url.raw : "http://www.domain_name.com"
Solution 2
Just giving more visibility to @dezhi's comment.
in newer version of ES(5.x, 6.x),
you should use `url.keyword` instead,
as they have changed to a new keyword type.
Therefore, it would be:
url.keyword : "http://www.domain_name.com"
Solution 3
Exact value is not supported out of the box.
Out of the box, Lucene does not provide exact field matches, like matching "Acer Negundo Ab" and only "Acer Negundo Ab" (not also "Acer Negundo Ab IgG" ). Neither does Lucene provide "Starts With" or "Ends With" functionality. Fortunately, there are workarounds.
Solution 4
"Cannot change the info of a user"
To search for an exact string, you need to wrap the string in double quotation marks. Without quotation marks, the search in the example would match any documents containing one of the following words: "Cannot" OR "change" OR "the" OR "info" OR "a" OR "user".
Kibana v6.5
smace
Updated on July 09, 2022Comments
-
smace almost 2 years
I would like to know how to query a field to exactly match a string.
I'm actually trying to query like this:
url : "http://www.domain_name.com"
Which returns all string starting with
http://www.domain_name.com
. -
smace over 9 yearsThanks a lot, with .raw we can access to the unfiltered/untokenized string!
-
dezhi almost 7 yearsin newer version of ES(5.x, 6.x), you should use url.keyword instead, as they have changed to a new keyword type.
-
robert over 6 yearsThanks for your answer Nirdesh, but unfortunately there are some irregularities here with the actual functionality.
-
favoretti about 6 yearsThanks :) Lifesaver!
-
GPuri over 2 yearsYour answer is very much correct except 1 small thing. "Cannot change the info of a user" would even fetch a document where text would be something like: "Unautorized User Cannot change the info of a user" so anything inside "" is matched as complete phrase. I guess for exact match above answers for url.raw or url.keyword are more correct.