Kibana 4: Can't do wildcard query with dot in field value - elasticsearch

I have a analyzed field hostname and a not_analyzed field hostname.raw.
I'm trying to query a few hosts that have a dot in the field value, like
AP.MO.HALL-01
AP.MO.2FLOOR-01
When I try to query hostname:AP.MO.*, it also returns hosts with the value AP.MOOCA.HALL
When I try to query using the field that isn't analyzed, I get no results at all: hostname.raw:AP.MO.*
How can I make Kibana respect the dot before the wildcard?

I was able to get a similar issue resolved by using a RegEx query, and escaping the periods within the hostname.
Looking at your example, something similar to the following should work:
hostname: /.*AP\.MO\..*/

Related

How can I use standard SQL on text fields of elastic without using the specials SQL elasticSearch operators?

I would like to create SQL query on some text field (not keyword) for example "name" field and send that query to elastic server.
my problem is that I need to use the standard SQL language (not the MATCH and QUERY operators which are specials for elastic SQL) of text fields.
when I tried to use JDBC driver or when I tried to use high-level-java-client with LIKE operatorI got the following error
"No keyword/multi-field defined exact matches for [name]; define one or use MATCH/QUERY instead"
I also tried to use the translate API of elasticsearch- but even there I couldn't use the "LIKE" operator on text fields only on keyword fields.
does anyone have any solution for me? I want to use the LIKE operator on text fields instead of the full text operators which are unique to elastic sql.
Please check the this documentation. they have clearly mentioned in document that it is not possible.
One significant difference between LIKE/RLIKE and the full-text search
predicates is that the former act on exact fields while the latter
also work on analyzed fields. If the field used with LIKE/RLIKE
doesn’t have an exact not-normalized sub-field (of keyword type)
Elasticsearch SQL will not be able to run the query. If the field is
either exact or has an exact sub-field, it will use it as is, or it
will automatically use the exact sub-field even if it wasn’t
explicitly specified in the statement.
If you still want to used text field then you need to enabled multi-field as mentioned here. or you can try out to enable fielddata on text field but i am not sure that it will work SQL or not.

Elasticseach: dot in search query

I have 2 documents in elasticsearch. There is a field domain that has 8.8.8.8 as value and other has ip-188-165-238.eu as value.
When I'm trying to find 8.8.8.8 it finds both of the documents.
Problem is that the dot "." is a separator in elasticsearch and I can't find any option to escape it in search query. I tried 8\.8\.8\.8 but still the same results.
The question is if there is any way of escaping dot in ES query? Or maybe some workaournd?

Elasticsearch wildcard query rewrite parameter not working with new wildcard field type?

The Wildcard Query offers a rewrite parameter to influence how Lucene calculates the relevance scores. On keyword fields this works as expected but it does not seem to work with the new wildcard field type which belongs to the keyword family. Is this an expected behavior or a bug?
As confirmed by Elastic staff, the rewrite parameter is unsupported. Unlike keyword fields, the wildcard field doesn't have a single indexed token for each term so it has no pre-built count for the document frequency of whole values. Instead it uses an ngram index which obviously has different frequencies for the multiple terms a search string can be broken down into.

How to query elasticsearch from kibana using regex with - in it?

I am trying to query Elasticsearch where source is as follows:
source => /home/user/logs/serviceA.inst-app3.test.log.INFO.20180204-084131.21231
I want to filter all messages where source is serviceA.*INFO*. However, Kibana returns empty list. For queries like serviceA.* or serviceA* queries, Kibana returns the result where serviceA.inst is highlighted. My suspicion is minus sign in the file name is causing the issue.
How to query Elasticsearch from Kibana with regex which has minus sign (-) in it?

Search by ignore value case checking

In my index I have inserted fields without changing the case of values(Upper case or Lower case), like in my elasticsearch document a field name contains value Hello World. And i have made name field as not_analyzed for exact match. But in that case, when i search by hello world this document don’t returned by elasticsearch, might be due to case sensitivity. I have tried by using term query and match query but haven't found a luck.
Please suggest, if there is a way.
Thanks
The only way you can do this in Elasticsearch is by analyzing the field and using token filters. There is a lowercase token filter available that you should use but this can't really be done on-the-fly like SQL where you wrap the field to be queried against in something like LOWER().
To get the effect you desire I would use something like the Keyword tokenizer with the Lowercase token filter. If you set this analyzer to be the default analyzer for indexing and searching then your searches will also be case insensitive too.

Resources