I'm struggling to filter square brackets on my log messages in Kibana. Suppose I have the messages:
[BOOK] The Book 32 was sold
Exception on buying BOOK
And I want to filter only messages having exactly [BOOK] (so I should get only the first one).
I have tried filtering free text with all kinds of escaping I could think of:
[BOOK]
"[BOOK]"
\[BOOK\]
"\[BOOK\]"
\\[BOOK\\]
And also tried filtering by the message field:
message: [BOOK]*
message: "[BOOK]*"
message: \[BOOK\]*
message: "\[BOOK\]*"
But Kibana seems to simply ignore the square brackets and always brings both messages, highlighting only the BOOK word.
How can I force it search for the []?
if your message field is an analysed text, then the brackets are dropped by the analyzer. You should run your query against a keyword data type. More precisely, you will need to run a regexp against a keyword data type, such as a prefix or a wildcard query.
Let's assume that the mapping of message is keyword. If [BOOK] is always at the beginning of your log message, then a valid query is the following:
{ "query": {
"prefix": {
"message": "[BOOK]"
}
}}
If instead you would like to search for [BOOK] in any part of the message value, then you would need something like:
{ "query": {
"wildcard": {
"message": "*[BOOK]*"
}
}}