Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[docs] Add KQL docs for combining wildcards with special characters & keywords #161377

Closed
Tracked by #166068
lukasolson opened this issue Jul 6, 2023 · 2 comments
Closed
Tracked by #166068

[docs] Add KQL docs for combining wildcards with special characters & keywords #161377

lukasolson opened this issue Jul 6, 2023 · 2 comments
Labels
docs Feature:KQL KQL Icebox impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL.

Comments

@lukasolson
Copy link
Member

A request recently came up regarding querying documents with special characters and wildcards.

For example, given the following documents:

{
   "span.name": "Elasticsearch: POST /tmp-*/_search"
}

{
   "span.name": "Elasticsearch: POST /.kibana/_search"
}

"How do I filter for documents where the stuff inside the forward slashes does not start with a dot?"

They had tried several combinations of things with the wildcard inside of quotes, which doesn't work (we should make this explicit inside the docs). The answer ultimately came down to a combination of escaping special characters and wildcards:

span.name: Elasticsearch\: POST /*/_search AND NOT Elasticsearch\: POST /.*/_search

The follow-up question then was "What if the value contained and or or?" And the answer is to also escape keywords (which I don't think we have anywhere inside our docs): /and

We should add some more detail to our docs for these two things:

  1. Wildcards cannot be used inside quotes. If using wildcards, don't use quotes and escape all special characters.
  2. How to escape keywords (and/or/not)
@lukasolson lukasolson added loe:small Small Level of Effort Feature:KQL KQL impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. docs Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. labels Jul 6, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

@kertal kertal mentioned this issue Oct 1, 2024
Open
@kertal kertal added the Icebox label Oct 21, 2024
@kertal
Copy link
Member

kertal commented Oct 21, 2024

Closing this because it's not planned to be resolved in the foreseeable future. It will be tracked in our Icebox and will be re-opened if our priorities change. Feel free to re-open if you think it should be melted sooner.

@kertal kertal closed this as not planned Won't fix, can't repro, duplicate, stale Oct 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs Feature:KQL KQL Icebox impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kertal @lukasolson @elasticmachine