Kibana query exact match

regex lucene elasticsearch kibana
61,280

Solution 1

I had a similar issue, and ifound that ".raw" fixed it - in your example, try

url.raw : "http://www.domain_name.com"

Solution 2

Just giving more visibility to @dezhi's comment.

in newer version of ES(5.x, 6.x), 
you should use `url.keyword` instead, 
as they have changed to a new keyword type.

Therefore, it would be:

url.keyword : "http://www.domain_name.com"

Solution 3

Exact value is not supported out of the box.

http://blogs.perl.org/users/mark_leighton_fisher/2012/01/stupid-lucene-tricks-exact-match-starts-with-ends-with.html

Out of the box, Lucene does not provide exact field matches, like matching "Acer Negundo Ab" and only "Acer Negundo Ab" (not also "Acer Negundo Ab IgG" ). Neither does Lucene provide "Starts With" or "Ends With" functionality. Fortunately, there are workarounds.

Solution 4

"Cannot change the info of a user"

To search for an exact string, you need to wrap the string in double quotation marks. Without quotation marks, the search in the example would match any documents containing one of the following words: "Cannot" OR "change" OR "the" OR "info" OR "a" OR "user".

Kibana v6.5

Share:
61,280
smace
Author by

smace

Updated on July 09, 2022

Comments

  • smace
    smace almost 2 years

    I would like to know how to query a field to exactly match a string.

    I'm actually trying to query like this:

    url : "http://www.domain_name.com"

    Which returns all string starting with http://www.domain_name.com .

  • smace
    smace over 9 years
    Thanks a lot, with .raw we can access to the unfiltered/untokenized string!
  • dezhi
    dezhi almost 7 years
    in newer version of ES(5.x, 6.x), you should use url.keyword instead, as they have changed to a new keyword type.
  • robert
    robert over 6 years
    Thanks for your answer Nirdesh, but unfortunately there are some irregularities here with the actual functionality.
  • favoretti
    favoretti about 6 years
    Thanks :) Lifesaver!
  • GPuri
    GPuri over 2 years
    Your answer is very much correct except 1 small thing. "Cannot change the info of a user" would even fetch a document where text would be something like: "Unautorized User Cannot change the info of a user" so anything inside "" is matched as complete phrase. I guess for exact match above answers for url.raw or url.keyword are more correct.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Searching within an array in kibana
ElasticSearch/Lucene query string — select "field X exists"
How to search Json message in Kibana elasticSearch
Access Control in Elastic - missing authentication credentials for REST request
escape special character in elasticsearch query
How to speed up Elasticsearch recovery?
Any open source alerting and reporting plugin for ELK stack is available?
Elastic Search Lucene version error
Slow index speed of Elasticsearch
Kibana startup fails with License information and later with Unable to retrieve version information