14

I'm testing ELK stack for nginx-access logs. It looks good except I have not found a way to search records in Kibana Discovery (v5.3.2) with a path that start with "/test/a". Search works if I remove slashes, but in this case, I get what I don't need - "/ololo/ololo?test=1"

I tried different requests:

path:/\/test\/a/
path:/\\/test\\/a/
path:"/test/a"
path:"\/test\/a"
path:"\\/test\\/a"

but nothing works as I expect.

Records:

[
{
    ...
    "path": "/test/a1"
    ...
},
{
    ...
    "path": "/test/a2"
    ...
},
{
    ...
    "path": "/ololo/ololo?test=1"
    ...
},        
]

Mapping:

"path": {
  "type": "string", 
  "index": "analyzed", 
},

Is there any way to search using slashes as part of pattern?

Update:

These patterns do not work too:

path:/.*\/test\/a.*/
path:/[\/]test[\/]a/
Alexey
  • 2,326
  • 5
  • 17
  • 27

2 Answers2

12

You need to change the mapping of the path field to not be analyzed, otherwise the slashes will not be indexed.

The mapping should be like this:

"path": {
  "type": "string", 
  "index": "not_analyzed",    <--- change this
},

Note that you need to delete your index and re-create it with the proper mapping in order for this to work.

After that you'll be able to search using the following query path:"/test/a"

Val
  • 207,596
  • 13
  • 358
  • 360
  • 1
    It does not work. `path:"/test/a"` returns nothing, instead of records `/test/a1` and `/test/a2` . This works: `path:"/test/a1"` or `path:"/test/a2"`, but it's not what I need – Alexey Jul 08 '17 at 06:06
  • 1
    Oh sorry I misread your question, I missed the fact that you needed to search for path prefixes. In this case, you should be able to search for `path:/test/a*` (without the double quotes). Give it a try. – Val Jul 08 '17 at 06:22
  • `path:/test/a*` returns needed records (`/test/a1`, `/test/a2`), but also returns a lot of `/ololo?test=1`. Looks like this pattern return all records that contains word `test` – Alexey Jul 08 '17 at 06:29
  • Let's try something more involved with a regular expression then. Try this: `path:/^\/test\/a.*/` – Val Jul 08 '17 at 06:33
  • `path:/^\/test\/a.*/` - No results found. – Alexey Jul 08 '17 at 06:38
  • `path:/.*test.*/`, `path:/test/` - returns needed and not needed records - all records that contain word `test` – Alexey Jul 08 '17 at 06:42
  • Another question: have you refreshed your index pattern in Kibana after recreating your index? – Val Jul 08 '17 at 07:19
  • Yes, it shows that `path` is `searchable` and `analyzed` – Alexey Jul 08 '17 at 07:30
  • Then it is not correct, it should show that it is not analyzed since you've changed the mapping. Please refresh your index pattern. – Val Jul 08 '17 at 07:35
  • It helped. Thank you – Alexey Jul 08 '17 at 07:43
4

Use this query as example:

{
  "query": {
    "query_string": {
      "fields": [
        "path.keyword"
      ],
      "query": "\\/test\\/a\\/*",
      "analyzer": "keyword",
      "analyze_wildcard": true
    }
  }
}
Thiago Falcao
  • 4,463
  • 39
  • 34