CODEWITHSUNDEEP
elasticsearchkibana
Tony Laidig
Tony Laidig

Reputation: 1068

Kibana querying for string length

Is there a way to query for a value of a certain length in Kibana?

For example, given the following two KV pairs:

key: "some"
key: "something"

I would like to search for key.length > 5 and retrieve "something" only.

The other option I see is to add a tag from logstash, but then I'll have to reload a couple hundred GB.

Upvotes: 7

Views: 37767

Answers (4)

chengpohi
chengpohi

Reputation: 14217

You can use script query to do that in Kibana. Script Query in Kibana, There is an example for script query with key's length more than 5:

{
    "query": {
        "filtered": {
            "filter": {
                "script": {
                    "script": "doc['key'].getValue().length() > 5"
                }
            }
        }
    }
}

And also you need to enable script search in elasticsearch, you need to add the below config into elasticsearch.yml:

 script.engine.groovy.inline.search: on

Upvotes: 10

jgibson
jgibson

Reputation: 1043

You can accomplish this with a regular expression query via the Lucene query syntax. For example key:/.{6,}/ would only match records whose key field had an entry of 6 characters or more.

HT to a similar question about Solr (which also uses Lucene's query engine).

Upvotes: 7

Mousa
Mousa

Reputation: 3036

If you can reindex your index or you are just creating it, you can create a custom tokenizer as in the following:

PUT test_index
{
  "settings": {
    "analysis": {
      "analyzer": {
        "character_analyzer": {
          "type": "custom",
          "tokenizer": "character_tokenizer"
        }
      },
      "tokenizer": {
        "character_tokenizer": {
          "type": "nGram",
          "min_gram": 1,
          "max_gram": 1
        }
      }
    }
  }, 
  "mappings": {
    "person": {
      "properties": {
        "name": { 
          "type": "text",
          "fields": {
            "keyword": { 
              "type": "keyword"
            },
            "words_count": { 
              "type": "token_count",
              "analyzer": "standard"
            },
            "length": { 
              "type": "token_count",
              "analyzer": "character_analyzer"
            }
          }
        }
      }
    }
  }
}

PUT test_index/person/1
{
  "name": "John Smith"
}

PUT test_index/person/2
{
  "name": "Rachel Alice Williams"
}

GET test_index/person/_search
{
  "query": {
    "term": {
      "name.length": 10
    }
  }
}

Upvotes: 4

Yuvraj Gupta
Yuvraj Gupta

Reputation: 2475

You can do this by creating a scripted field directly in Kibana.

  • In Kibana, click on Settings tab and then click on your index pattern

  • You should see 2 tabs "Fields" and "Scripted fields".

  • Click on the "Scripted fields" tab. Then "Add scripted field".

  • Enter a "Name" in the Script field and enter the following:-

    doc['key'].value.length > 5

  • Click "Create Field" at the bottom. Now your scripted field will be added & can be viewed from Discover page.

Upvotes: 3

Related Questions