How do I exclude multiple terms in Kibana 4

Question

How can I exclude multiple search terms in Kibana 4? If I type in only one term, it excludes it...but how can I have more than one excluded term. For example, the term "not yet classified"

score 57 · Answer 1 · answered Apr 09 '15 at 18:51

57

If I understand your question properly, you're trying to use the "Exclude Pattern" to exclude certain values from populating in the chart.

The "Exclude Pattern" and "Include Pattern" fields are for Regular Expressions and are documented here: http://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html.

If you want to exclude multiple fields, you could do something like this:

term1|term2|term3

answered Apr 09 '15 at 18:51

Travis Swientek

1,206
9
14

10

to expand on this more, it helped point me in the right direction, and then reading [link](https://www.elastic.co/guide/en/elasticsearch/reference/1.4/search-aggregations-bucket-terms-aggregation.html#_filtering_values) I see that if I were to exclude 2 terms I would do something like this `(.*test.*)|(.*monitor.*)` where I wanted to exclude some events that had either "test" or "monitor" within their values. – scaph01 Dec 04 '15 at 16:20
What scaph01 said just above is correct. In my production, I use (.*word.*)|(.*word2.*) and so on to exclude multiple words – danno May 03 '17 at 16:40

score 41 · Answer 2 · answered Mar 24 '15 at 11:38

41

The query field in Kibana uses Lucene syntax which has some info at http://www.lucenetutorial.com/lucene-query-syntax.html.

To exclude a term containing specific text, use

-field: "text"

to exclude different texts, I use

-field: ("text1" or "text2")

If it's two separate fields, try

-field1: "text1" -field2: "text2"

answered Mar 24 '15 at 11:38

SimonH

964
6
17

2

I don't think OP was talking about the query field. Specifically the "Exclude Pattern" field while building a visualization. It does not appear that the Exclude Pattern field is Lucene Syntax. Excluding data via the query excludes any object containing your search string. The Exclude Pattern is not documented very well, but I would imagine it just excludes that term from the graph. – Travis Swientek Apr 09 '15 at 18:40
13

Even though it may not address the OP, I found the answer to my question through this post. – jonnybazookatone Jun 10 '15 at 08:46
I know I'm late to the party, but -term or -"phrase with multiple words" also works if you want to exclude results with your term(s) anywhere in the record. – slim May 30 '18 at 13:22

score 10 · Answer 3 · answered Jun 30 '19 at 16:02

in newer version of kibana if you want to exclude some term use this:

not field : "text"

if you want to exclude a phrase use this:

not field : "some text phrase"

you can use other logical operation with not:

field: "should have phrase" and not field: "excluded phrase"

score 0 · Answer 4 · answered May 13 '21 at 22:12

0

https://www.elastic.co/guide/en/kibana/master/kuery-query.html

To match documents where response is 200 but extension is not php or css.

response:200 and not (extension:php or extension:css)

answered May 13 '21 at 22:12

user669789

554
4
10
23

score -1 · Answer 5 · answered Apr 02 '20 at 14:54

-1

So in the query above the visualization, you can use Lucene syntax to exclude the hits, once saved this will perform the same as an attempt of using regex or Lucene syntax in the Exclude Field of the Buckets advanced options.

answered Apr 02 '20 at 14:54

mrainville1618

1

How do I exclude multiple terms in Kibana 4

5 Answers5