Searching within an array in kibana

lucene elasticsearch kibana

10,239

It would be a simple field:<search_term> query, like -

  "query": {
    "query_string": {
      "query": "stacktrace_array:*second line*"
    }
    ...

So in layman terms, for Kibana dashboard, put your search query like so -

stacktrace_array:*second line*

10,239

Author by

erbdex

Updated on June 04, 2022

Comments

erbdex almost 2 years

I am pushing my logs to elasticsearch which stores a typical doc as-

{
  "_index": "logstash-2014.08.11",
  "_type": "machine",
  "_id": "2tSlN1P1QQuHUkmoJfkmnQ",
  "_score": null,
  "_source": {
    "category": "critical log with list",
    "app_name": "attachment",
    "stacktrace_array": [
      "this is the first line",
      "this is the second line",      
      "this is the third line",      
      "this is the fourth line",    
    ],
    "@timestamp": "2014-08-11T13:30:51+00:00"
  },
  "sort": [
    1407763851000,
    1407763851000
  ]
}

Kibana makes searching substrings very easy. For example searching for "critical" in the dashboard will fetch all logs with the word critical in any string mapped value.

How do i go about searching for something like "second line" which is a string nested in an array within my doc?